PC World 2004 December

home *** CD-ROM | disk | FTP | other *** search

/ PC World 2004 December / PCWorld_2004-12_cd.bin / software / temacd / tiny / tf6pro-6[1].0.140.exe / Tiny Firewall Pro 6.0.msi / IDS.xml < prev next >

Wrap

Extensible Markup Language | 2004-08-03 | 1.3 MB | 8,174 lines

Text Truncated. Only the first 1MB is shown below. Download the file for the complete contents. ■<?xml version="1.0" encoding="UTF-16" standalone="no"?> <SecDb xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="IDS.xsd"> <VersionInfo major="2"/> <Module id="IDS"/> <Globals> <Property id="SomeID" type="int">1</Property> </Globals> <Definitions> <Object ot="ipaddress" id="all"> <Item>*</Item> </Object> <Object ot="ipaddress" id="external_net"> <Item>*</Item> </Object> <Object ot="ipaddress" id="home_net"> <Item>0.0.0.0</Item> <Item>10.0.0.0/255.0.0.0</Item> <Item>172.16.0.0/255.240.0.0</Item> <Item>192.168.0.0/255.255.0.0</Item> </Object> <Object ot="ipaddress" id="smtp_servers"> <Item>10.0.0.0/255.0.0.0</Item> <Item>172.16.0.0/255.240.0.0</Item> <Item>192.168.0.0/255.255.0.0</Item> </Object> <Object ot="ipaddress" id="http_servers"> <Item>10.0.0.0/255.0.0.0</Item> <Item>172.16.0.0/255.240.0.0</Item> <Item>192.168.0.0/255.255.0.0</Item> </Object> <Object ot="ipaddress" id="sql_servers"> <Item>10.0.0.0/255.0.0.0</Item> <Item>172.16.0.0/255.240.0.0</Item> <Item>192.168.0.0/255.255.0.0</Item> </Object> <Object ot="ipaddress" id="telnet_servers"> <Item>10.0.0.0/255.0.0.0</Item> <Item>172.16.0.0/255.240.0.0</Item> <Item>192.168.0.0/255.255.0.0</Item> </Object> <Object ot="ipaddress" id="aim_servers"> <Item>64.12.24.0-64.12.24.255</Item> <Item>64.12.25.0-64.12.25.255</Item> <Item>64.12.26.0-64.12.26.255</Item> <Item>64.12.28.0-64.12.28.255</Item> <Item>64.12.29.0-64.12.29.255</Item> <Item>64.12.161.0-64.12.161.255</Item> <Item>64.12.163.0-64.12.163.255</Item> <Item>205.188.5.0-205.188.5.255</Item> <Item>205.188.9.0-205.188.9.255</Item> </Object> <Object ot="ipaddress" id="loopback"> <Item>127.0.0.0-127.255.255.255</Item> </Object> <Object ot="ipaddress" id="broadcast"> <Item>255.255.255.255</Item> </Object> <Object ot="ipaddress" id="multicast"> <Item>232.0.0.0-232.255.255.255</Item> <Item>233.0.0.0-233.255.255.255</Item> <Item>239.0.0.0-239.255.255.255</Item> </Object> <Object ot="ipaddress" id="address of DDOS Stacheldraht server spoof address"> <Item>3.3.3.3</Item> </Object> <Object ot="ipaddress" id="address of BACKDOOR Q access"> <Item>255.255.255.0-255.255.255.255</Item> </Object> <Object ot="ipaddress" id="address of MULTIMEDIA audio galaxy keepalive"> <Item>64.245.58.0-64.245.59.255</Item> </Object> <Object ot="ipaddress" id="address of POLICY poll.gotomypc.com access"> <Item>63.251.224.177</Item> </Object> <Object ot="ipaddress" id="address of BACKDOOR fragroute trojan connection attempt"> <Item>216.80.99.202</Item> </Object> <Object ot="ipaddress" id="address of BACKDOOR TCPDUMP/PCAP trojan traffic"> <Item>212.146.0.34</Item> </Object> </Definitions> <RuleList name="backdoor.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="27374" name="BACKDOOR subseven 22" sid="412" enabled="0"> <Token id="content" type="str">\r\n[RPL]002\r\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2589" remport="1024-65535" name="BACKDOOR - Dagger_1.4.0_client_connect" sid="416" enabled="0"> <Token id="content" type="str" depth="16">\v\0\0\0\a\0\0\0Connect</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2589" remport="1024-65535" name="BACKDOOR - Dagger_1.4.0" sid="420" enabled="0"> <Token id="content" type="str" depth="16">2\0\0\0\x06\0\0\0Drives$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1054" remport="80" name="BACKDOOR ACKcmdC trojan scan" sid="424" enabled="0"> <Token id="tcp_ack" type="int">101058054</Token> <Token id="tcp_flg" type="str" mask="12">A</Token> <Token id="tcp_seq" type="int">101058054</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="16959" remport="*" name="BACKDOOR subseven DEFCON8 2.1 access" sid="428" enabled="0"> <Token id="content" type="str">PWD</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7597" remport="*" name="BACKDOOR QAZ Worm Client Login access" sid="432" enabled="0"> <Token id="content" type="str">qazwsx.hsq</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="12345-12346" remport="*" name="BACKDOOR netbus active" sid="436" enabled="0"> <Token id="content" type="str">NetBus</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="12345-12346" remport="*" name="BACKDOOR netbus getinfo" sid="440" enabled="0"> <Token id="content" type="str">GetInfo\r</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="20034" remport="*" name="BACKDOOR netbus active" sid="460" enabled="0"> <Token id="content" type="str">NetBus</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="146" remport="1024-65535" name="BACKDOOR Infector.1.x" sid="468" enabled="0"> <Token id="content" type="str">WHATISIT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="666" remport="1024-65535" name="BACKDOOR SatansBackdoor.2.0.Beta" sid="472" enabled="0"> <Token id="content" type="str">Remote: You are connected to me.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6789" remport="*" name="BACKDOOR Doly 2.0 access" sid="476" enabled="0"> <Token id="content" type="str" depth="32">Wtzup Use</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="146" remport="1000-1300" name="BACKDOOR Infector 1.6 Server to Client" sid="480" enabled="0"> <Token id="content" type="str">WHATISIT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="146" remport="1000-1300" name="BACKDOOR Infector 1.6 Client to Server Connection Request" sid="484" enabled="0"> <Token id="content" type="str">FC </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="31785" remport="*" name="BACKDOOR HackAttack 1.20 Connect" sid="564" enabled="0"> <Token id="content" type="str">host</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21554" remport="!80" name="BACKDOOR GirlFriendaccess" sid="580" enabled="0"> <Token id="content" type="str">Girl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="30100" remport="*" name="BACKDOOR NetSphere access" sid="584" enabled="0"> <Token id="content" type="str">NetSphere</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6969" remport="*" name="BACKDOOR GateCrasher" sid="588" enabled="0"> <Token id="content" type="str">GateCrasher</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="5401-5402" remport="*" name="BACKDOOR BackConstruction 2.1 Connection" sid="608" enabled="0"> <Token id="content" type="str">c:\\</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="23476" remport="*" name="BACKDOOR DonaldDick 1.53 Traffic" sid="612" enabled="0"> <Token id="content" type="str">pINg</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="30100-30102" remport="*" name="BACKDOOR NetSphere 1.31.337 access" sid="620" enabled="0"> <Token id="content" type="str">NetSphere</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="666" remport="*" name="BACKDOOR BackConstruction 2.1 Client FTP Open Request" sid="628" enabled="0"> <Token id="content" type="str">FTPON</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="666" remport="*" name="BACKDOOR BackConstruction 2.1 Server FTP Open Reply" sid="632" enabled="0"> <Token id="content" type="str">FTP Port open</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="5032" remport="*" name="BACKDOOR NetMetro File List" sid="636" enabled="0"> <Token id="content" type="str">--</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="3345" remport="3344" name="BACKDOOR Matrix 2.0 Client connect" sid="644" enabled="0"> <Token id="content" type="str">activate</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="3344" remport="3345" name="BACKDOOR Matrix 2.0 Server access" sid="648" enabled="0"> <Token id="content" type="str">logged in</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="5714" remport="*" name="BACKDOOR WinCrash 1.0 Server Active" sid="652" enabled="0"> <Token id="tcp_flg" type="str" mask="12">SA</Token> <Token id="content" type="str">\xB4\xB4</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="address of BACKDOOR Q access" name="BACKDOOR SIGNATURE - Q ICMP" sid="732" enabled="0"> <Token id="dsize" type="int" rel="greater">1</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="address of BACKDOOR Q access" locport="*" remport="*" name="BACKDOOR Q access" sid="736" enabled="0"> <Token id="dsize" type="int" rel="greater">1</Token> <Token id="tcp_flg" type="str">A+</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="BACKDOOR CDK" sid="740" enabled="0"> <Token id="content" type="str" depth="15" nocase="1">ypi0ca</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="2140" remport="*" name="BACKDOOR DeepThroat 3.1 Server Response" sid="780" enabled="0"> <Token id="content" type="str">Ahhhh My Mouth Is Open</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="555" remport="*" name="BACKDOOR PhaseZero Server Active on Network" sid="832" enabled="0"> <Token id="content" type="str">phAse</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR w00w00 attempt" sid="836" enabled="0"> <Token id="content" type="str">w00w00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR attempt" sid="840" enabled="0"> <Token id="content" type="str" nocase="1">backdoor</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC r00t attempt" sid="844" enabled="0"> <Token id="content" type="str">r00t</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC rewt attempt" sid="848" enabled="0"> <Token id="content" type="str">rewt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC Linux rootkit attempt" sid="852" enabled="0"> <Token id="content" type="str">wh00t!</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC Linux rootkit attempt lrkr0x" sid="856" enabled="0"> <Token id="content" type="str">lrkr0x</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC Linux rootkit attempt" sid="860" enabled="0"> <Token id="content" type="str" nocase="1">d13hh[</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC Linux rootkit satori attempt" sid="864" enabled="0"> <Token id="content" type="str">satori</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC sm4ck attempt" sid="868" enabled="0"> <Token id="content" type="str">hax0r</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR MISC Solaris 2.5 attempt" sid="872" enabled="0"> <Token id="content" type="str">friday</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR HidePak backdoor attempt" sid="876" enabled="0"> <Token id="content" type="str">StoogR</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="BACKDOOR HideSource backdoor attempt" sid="880" enabled="0"> <Token id="content" type="str">wank</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="31789" remport="31790" name="BACKDOOR hack-a-tack attempt" sid="2456" enabled="0"> <Token id="tcp_flg" type="str">A+</Token> <Token id="content" type="str" depth="1">A</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="address of BACKDOOR fragroute trojan connection attempt" name="BACKDOOR fragroute trojan connection attempt" sid="7164" enabled="0"/> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="address of BACKDOOR fragroute trojan connection attempt" remaddr_id="all" name="BACKDOOR fragroute trojan connection attempt" sid="7165" enabled="0"/> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="33270" remport="*" name="BACKDOOR trinity connection attempt" sid="7372" enabled="0"> <Token id="content" type="str" depth="3">!@#</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="35555" remport="*" name="BACKDOOR win-trin00 connection attempt" sid="7412" enabled="0"> <Token id="content" type="str" depth="14">png []..Ks l44</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="address of BACKDOOR TCPDUMP/PCAP trojan traffic" locport="*" remport="1963" name="BACKDOOR TCPDUMP/PCAP trojan traffic" sid="7716" enabled="0"/> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="address of BACKDOOR TCPDUMP/PCAP trojan traffic" remaddr_id="all" locport="1963" remport="*" name="BACKDOOR TCPDUMP/PCAP trojan traffic" sid="7717" enabled="0"/> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="2140" remport="*" name="BACKDOOR DeepThroat 3.1 Connection attempt" sid="7920" enabled="0"> <Token id="content" type="str" depth="2">00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="3150" remport="*" name="BACKDOOR DeepThroat 3.1 Connection attempt [3150]" sid="7924" enabled="0"> <Token id="content" type="str" depth="2">00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="3150" remport="*" name="BACKDOOR DeepThroat 3.1 Server Response [3150]" sid="7928" enabled="0"> <Token id="content" type="str">Ahhhh My Mouth Is Open</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="4120" remport="*" name="BACKDOOR DeepThroat 3.1 Connection attempt [4120]" sid="7932" enabled="0"> <Token id="content" type="str" depth="2">00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="4120" remport="*" name="BACKDOOR DeepThroat 3.1 Server Response [4120]" sid="7936" enabled="0"> <Token id="content" type="str">Ahhhh My Mouth Is Open</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1094" name="BACKDOOR Doly 1.5 server response" sid="7940" enabled="0"> <Token id="content" type="str">Connected.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="BACKDOOR SubSeven 2.1 Gold server connection response" sid="8400" enabled="0"> <Token id="content" type="str" depth="22">connected. time/date: </Token> <Token id="content" type="str" distance="1">version: GOLD 2.1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="34012" remport="*" name="BACKDOOR Remote PC Access connection attempt" sid="8496" enabled="0"> <Token id="content" type="str" depth="12">(\0\x01\0\x04\0\0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="BACKDOOR typot trojan traffic" sid="8728" enabled="0"> <Token id="tcp_flg" type="str" mask="12">S</Token> <Token id="tcp_window" type="int">55808</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="BACKDOOR FsSniffer connection attempt" sid="9084" enabled="0"> <Token id="content" type="str">RemoteNC Control Password:</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3127-3199" remport="*" name="BACKDOOR DoomJuice file upload attempt" sid="9500" enabled="0"> <Token id="content" type="str" depth="5">\x85\x13<\x9E\xA2</Token> </Rule> </RuleList> <RuleList name="ftp.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP ADMw0rm ftp login attempt" sid="576"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="content" type="str" distance="1" nocase="1">w0rm</Token> <Token id="pcre" type="str">=/^USER\s+w0rm/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP .forward" sid="1336"> <Token id="content" type="str">.forward</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP .rhosts" sid="1340"> <Token id="content" type="str">.rhosts</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CWD ~root attempt" sid="1344"> <Token id="content" type="str" nocase="1">CWD</Token> <Token id="content" type="str" distance="1" nocase="1">~root</Token> <Token id="pcre" type="str">=/^CWD\s+~root/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CEL overflow attempt" sid="1348"> <Token id="content" type="str" nocase="1">CEL</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^CEL\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP adm scan" sid="1412"> <Token id="content" type="str">PASS ddd@\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP iss scan" sid="1416"> <Token id="content" type="str">pass -iss@iss</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP pass wh00t" sid="1420"> <Token id="content" type="str" nocase="1">pass wh00t</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP passwd retrieval attempt" sid="1424"> <Token id="content" type="str" nocase="1">RETR</Token> <Token id="content" type="str">passwd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP piss scan" sid="1428"> <Token id="content" type="str">pass -cklaus</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP saint scan" sid="1432"> <Token id="content" type="str">pass -saint</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP satan scan" sid="1436"> <Token id="content" type="str">pass -satan</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP serv-u directory transversal" sid="1440"> <Token id="content" type="str" nocase="1">.%20.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE EXEC attempt" sid="1444"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="0" nocase="1">EXEC</Token> <Token id="pcre" type="str">=/^SITE\s+EXEC/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP tar parameters" sid="1448"> <Token id="content" type="str" nocase="1"> --use-compress-program </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CWD ..." sid="4916"> <Token id="content" type="str" nocase="1">CWD</Token> <Token id="content" type="str" distance="0">...</Token> <Token id="pcre" type="str">=/^CWD\s[^\n]*?\.\.\./smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP wu-ftp bad file completion attempt [" sid="5508"> <Token id="content" type="str">~</Token> <Token id="content" type="str" distance="1">[</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP wu-ftp bad file completion attempt {" sid="5512"> <Token id="content" type="str">~</Token> <Token id="content" type="str" distance="1">{</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP STAT overflow attempt" sid="5516"> <Token id="content" type="str" nocase="1">STAT</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^STAT\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE overflow attempt" sid="6116"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^SITE\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP format string attempt" sid="6120"> <Token id="content" type="str" nocase="1">%p</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE CHOWN overflow attempt" sid="6248"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="0" nocase="1">CHOWN</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^SITE\s+CHOWN\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CMD overflow attempt" sid="6484"> <Token id="content" type="str" nocase="1">CMD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^CMD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP RNFR ././ attempt" sid="6488"> <Token id="content" type="str" nocase="1">RNFR </Token> <Token id="content" type="str" nocase="1"> ././</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP invalid MODE" sid="6492"> <Token id="content" type="str" nocase="1">MODE</Token> <Token id="pcre" type="str">=/^MODE\s+[^ABSC]{1}/msi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP large PWD command" sid="6496"> <Token id="dsize" type="int">10</Token> <Token id="content" type="str" nocase="1">PWD</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP large SYST command" sid="6500"> <Token id="dsize" type="int">10</Token> <Token id="content" type="str" nocase="1">SYST</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CWD ~ attempt" sid="6688"> <Token id="content" type="str">CWD</Token> <Token id="pcre" type="str">=/^CWD\s+~/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP USER overflow attempt" sid="6936"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^USER\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP command overflow attempt" sid="6992"> <Token id="dsize" type="int" rel="greater">100</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP EXPLOIT STAT * dos attempt" sid="7108"> <Token id="content" type="str" nocase="1">STAT</Token> <Token id="content" type="str" distance="1">*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP EXPLOIT STAT ? dos attempt" sid="7112"> <Token id="content" type="str" nocase="1">STAT</Token> <Token id="content" type="str" distance="1">?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE NEWER attempt" sid="7456"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="1" nocase="1">NEWER</Token> <Token id="pcre" type="str">=/^SITE\s+NEWER/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE CPWD overflow attempt" sid="7552"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="0" nocase="1">CPWD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^SITE\s+CPWD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CWD overflow attempt" sid="7676"> <Token id="content" type="str" nocase="1">CWD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^CWD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE NEWER overflow attempt" sid="7680"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="0" nocase="1">NEWER</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^SITE\s+NEWER\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE ZIPCHK overflow attempt" sid="7684"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="1" nocase="1">ZIPCHK</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^SITE\s+ZIPCHK\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP authorized_keys" sid="7708"> <Token id="content" type="str">authorized_keys</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP shadow retrieval attempt" sid="7712"> <Token id="content" type="str" nocase="1">RETR</Token> <Token id="content" type="str">shadow</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP RMDIR overflow attempt" sid="7768"> <Token id="content" type="str" nocase="1">RMDIR</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^RMDIR\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE EXEC format string attempt" sid="7884"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="0" nocase="1">EXEC</Token> <Token id="pcre" type="str">=/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP PASS overflow attempt" sid="7888"> <Token id="content" type="str" nocase="1">PASS</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^PASS\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP MKD overflow attempt" sid="7892"> <Token id="content" type="str" nocase="1">MKD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^MKD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP REST overflow attempt" sid="7896"> <Token id="content" type="str" nocase="1">REST</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^REST\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP DELE overflow attempt" sid="7900"> <Token id="content" type="str" nocase="1">DELE</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^DELE\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP RMD overflow attempt" sid="7904"> <Token id="content" type="str" nocase="1">RMD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^RMD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP LIST directory traversal attempt" sid="7968"> <Token id="content" type="str">LIST</Token> <Token id="content" type="str" distance="1">..</Token> <Token id="content" type="str" distance="1">..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP CWD Root directory transversal attempt" sid="8500"> <Token id="content" type="str" nocase="1">CWD</Token> <Token id="content" type="str" distance="1">C:\\</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP USER format string attempt" sid="8712"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="pcre" type="str">=/^USER\s[^\n]*?%[^\n]*?%/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP PASS format string attempt" sid="8716"> <Token id="content" type="str" nocase="1">PASS</Token> <Token id="pcre" type="str">=/^PASS\s[^\n]*?%[^\n]*?%/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP LIST integer overflow attempt" sid="9088"> <Token id="content" type="str" nocase="1">LIST</Token> <Token id="pcre" type="str">=/^LIST\s+\x22-W\s+\d+/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP MKDIR format string attempt" sid="9328"> <Token id="content" type="str" nocase="1">MKDIR</Token> <Token id="pcre" type="str">=/^MKDIR\s[^\n]*?%[^\n]*?%/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP RENAME format string attempt" sid="9332"> <Token id="content" type="str" nocase="1">RENAME</Token> <Token id="pcre" type="str">=/^RENAME\s[^\n]*?%[^\n]*?%/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3535" remport="*" name="FTP Yak! FTP server default account login attempt" sid="9336"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="content" type="str" nocase="1">y049575046</Token> <Token id="pcre" type="str">=/^USER\s+y049575046/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3535" remport="*" name="FTP RMD / attempt" sid="9340"> <Token id="content" type="str" nocase="1">RMD</Token> <Token id="pcre" type="str">=/^RMD\s+\x2f$/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP LIST buffer overflow attempt" sid="9352"> <Token id="content" type="str" nocase="1">LIST</Token> <Token id="pcre" type="str">=/^LIST\s[^\n]{100,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP SITE CHMOD overflow attempt" sid="9360"> <Token id="content" type="str" nocase="1">SITE</Token> <Token id="content" type="str" distance="0" nocase="1">CHMOD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^SITE\s+CHMOD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP STOR overflow attempt" sid="9372"> <Token id="content" type="str" nocase="1">STOR</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^STOR\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP XCWD overflow attempt" sid="9376"> <Token id="content" type="str" nocase="1">XCWD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^XCWD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP XMKD overflow attempt" sid="9492"> <Token id="content" type="str" nocase="1">XMKD</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^XMKD\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP NLST overflow attempt" sid="9496"> <Token id="content" type="str" nocase="1">NLST</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^NLST\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP RNTO overflow attempt" sid="9556"> <Token id="content" type="str" nocase="1">RNTO</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^RNTO\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP STOU overflow attempt" sid="9560"> <Token id="content" type="str" nocase="1">STOU</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^STOU\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP APPE overflow attempt" sid="9564"> <Token id="content" type="str" nocase="1">APPE</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^APPE\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP RETR overflow attempt" sid="9568"> <Token id="content" type="str" nocase="1">RETR</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^RETR\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP invalid MDTM command attempt" sid="9664"> <Token id="content" type="str" nocase="1">MDTM</Token> <Token id="pcre" type="str">=/^MDTM \d+[-+]\D/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP format string attempt" sid="9668"> <Token id="content" type="str">%</Token> <Token id="pcre" type="str">=/\s+.*?%.*?%/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP ALLO overflow attempt" sid="9796"> <Token id="content" type="str" nocase="1">ALLO</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^ALLO\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="FTP MDTM overflow attempt" sid="10184"> <Token id="content" type="str" nocase="1">MDTM</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^MDTM\s[^\n]{100}/smi</Token> </Rule> </RuleList> <RuleList name="ddos.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS TFN Probe" sid="884"> <Token id="ip_id" type="int">678</Token> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str">1234</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS tfn2k icmp possible communication" sid="888"> <Token id="echo_id" type="int">0</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">AAAAAAAAAA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="31335" remport="*" name="DDOS Trin00 Daemon to Master PONG message detected" sid="892"> <Token id="content" type="str">PONG</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="address of DDOS Stacheldraht server spoof address" remaddr_id="external_net" name="DDOS Stacheldraht server spoof" sid="896"> <Token id="echo_id" type="int">666</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht gag server response" sid="900"> <Token id="echo_id" type="int">669</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">sicken</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht server response" sid="904"> <Token id="echo_id" type="int">667</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">ficken</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht client spoofworks" sid="908"> <Token id="echo_id" type="int">1000</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">spoofworks</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS TFN client command BE" sid="912"> <Token id="echo_id" type="int">456</Token> <Token id="echo_seq" type="int">0</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht client check skillz" sid="916"> <Token id="echo_id" type="int">666</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">skillz</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="20432" remport="*" name="DDOS shaft client to handler" sid="920"/> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="31335" remport="*" name="DDOS Trin00 Daemon to Master message detected" sid="924"> <Token id="content" type="str">l44</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="31335" remport="*" name="DDOS Trin00 Daemon to Master *HELLO* message detected" sid="928"> <Token id="content" type="str">*HELLO*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="27665" remport="*" name="DDOS Trin00 Attacker to Master default startup password" sid="932"> <Token id="content" type="str">betaalmostdone</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="27665" remport="*" name="DDOS Trin00 Attacker to Master default password" sid="936"> <Token id="content" type="str">gOrave</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="27665" remport="*" name="DDOS Trin00 Attacker to Master default mdie password" sid="940"> <Token id="content" type="str">killme</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht client check gag" sid="944"> <Token id="echo_id" type="int">668</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">gesundheit!</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="27444" remport="*" name="DDOS Trin00 Master to Daemon default password attempt" sid="948"> <Token id="content" type="str">l44adsl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS TFN server response" sid="952"> <Token id="echo_id" type="int">123</Token> <Token id="echo_seq" type="int">0</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">shell bound to port</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="18753" remport="*" name="DDOS shaft handler to agent" sid="956"> <Token id="content" type="str">alive tijgu</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="20433" remport="*" name="DDOS shaft agent to handler" sid="960"> <Token id="content" type="str">alive</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="DDOS shaft synflood" sid="964"> <Token id="tcp_flg" type="str" mask="12">S</Token> <Token id="tcp_seq" type="int">674711609</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="DDOS shaft synflood" sid="965"> <Token id="tcp_flg" type="str" mask="12">S</Token> <Token id="tcp_seq" type="int">674711609</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="6838" remport="*" name="DDOS mstream agent to handler" sid="972"> <Token id="content" type="str">newserver</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="10498" remport="*" name="DDOS mstream handler to agent" sid="976"> <Token id="content" type="str">stream/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="10498" remport="*" name="DDOS mstream handler ping to agent" sid="980"> <Token id="content" type="str">ping</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="10498" remport="*" name="DDOS mstream agent pong to handler" sid="984"> <Token id="content" type="str">pong</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="12754" remport="*" name="DDOS mstream client to handler" sid="988"> <Token id="content" type="str">></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="12754" remport="*" name="DDOS mstream handler to client" sid="992"> <Token id="content" type="str">></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="15104" remport="*" name="DDOS mstream client to handler" sid="996"> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="15104" remport="*" name="DDOS mstream handler to client" sid="1000"> <Token id="content" type="str">></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS - TFN client command LE" sid="1004"> <Token id="echo_id" type="int">51201</Token> <Token id="echo_seq" type="int">0</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht handler->agent niggahbitch" sid="7416"> <Token id="echo_id" type="int">9015</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">niggahbitch</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht handler->agent niggahbitch" sid="7417"> <Token id="echo_id" type="int">9015</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">niggahbitch</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht agent->handler skillz" sid="7420"> <Token id="echo_id" type="int">6666</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">skillz</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht agent->handler skillz" sid="7421"> <Token id="echo_id" type="int">6666</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">skillz</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht handler->agent ficken" sid="7424"> <Token id="echo_id" type="int">6667</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">ficken</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DDOS Stacheldraht handler->agent ficken" sid="7425"> <Token id="echo_id" type="int">6667</Token> <Token id="icmp_type" type="int">0</Token> <Token id="content" type="str">ficken</Token> </Rule> </RuleList> <RuleList name="dns.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="53" name="DNS SPOOF query response PTR with TTL of 1 min. and no authority" sid="1012"> <Token id="content" type="str">\x85\x80\0\x01\0\x01\0\0\0\0</Token> <Token id="content" type="str">\xC0\f\0\f\0\x01\0\0\0<\0\x0F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="53" name="DNS SPOOF query response with TTL of 1 min. and no authority" sid="1016"> <Token id="content" type="str">\x81\x80\0\x01\0\x01\0\0\0\0</Token> <Token id="content" type="str">\xC0\f\0\x01\0\x01\0\0\0<\0\x04</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS zone transfer TCP" sid="1020"> <Token id="content" type="str" offset="15">\0\0\xFC</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS named authors attempt" sid="1024"> <Token id="content" type="str" nocase="1" offset="12">\aauthors</Token> <Token id="content" type="str" nocase="1" offset="12">\x04bind</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS named version attempt" sid="1028"> <Token id="content" type="str" nocase="1" offset="12">\aversion</Token> <Token id="content" type="str" nocase="1" offset="12">\x04bind</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT named 8.2->8.2.1" sid="1032"> <Token id="content" type="str">../../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT named overflow ADM" sid="1036"> <Token id="content" type="str">thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT named overflow ADMROCKS" sid="1040"> <Token id="content" type="str">ADMROCKS</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT named overflow attempt" sid="1044"> <Token id="content" type="str">\xCD\x80\xE8\xD7\xFF\xFF\xFF/bin/sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT x86 Linux overflow attempt" sid="1048"> <Token id="content" type="str">1\xC0\xB0?1\xDB\xB3\xFF1\xC9\xCD\x801\xC0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT x86 Linux overflow attempt" sid="1056"> <Token id="content" type="str">1\xC0\xB0\x02\xCD\x80\x85\xC0uL\xEBL^\xB0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT x86 Linux overflow attempt ADMv2" sid="1060"> <Token id="content" type="str">\x89\xF7)\xC7\x89\xF3\x89\xF9\x89\xF2\xAC<\xFE</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT x86 FreeBSD overflow attempt" sid="1064"> <Token id="content" type="str">\xEBn^\xC6\x06\x9A1\xC9\x89N\x01\xC6F\x05</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT sparc overflow attempt" sid="1068"> <Token id="content" type="str">\x90\x1A\xC0\x0F\x90\x02 \b\x92\x02 \x0F\xD0#\xBF\xF8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT named tsig overflow attempt" sid="1212"> <Token id="content" type="str">\xAB\xCD\t\x80\0\0\0\x01\0\0\0\0\0\0\x01\0\x01 \x02a</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS EXPLOIT named tsig overflow attempt" sid="1256"> <Token id="content" type="str">\x80\0\a\0\0\0\0\0\x01?\0\x01\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS named authors attempt" sid="5740"> <Token id="content" type="str" nocase="1" offset="12">\aauthors</Token> <Token id="content" type="str" nocase="1" offset="12">\x04bind</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS named version attempt" sid="6464"> <Token id="content" type="str" nocase="1" offset="12">\aversion</Token> <Token id="content" type="str" nocase="1" offset="12">\x04bind</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="53" remport="*" name="DNS zone transfer UDP" sid="7792"> <Token id="content" type="str" offset="14">\0\0\xFC</Token> </Rule> </RuleList> <RuleList name="dos.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="DOS Jolt attack" sid="1072"> <Token id="dsize" type="int">408</Token> <Token id="ip_frg" type="str">M</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="DOS Teardrop attack" sid="1080"> <Token id="ip_frg" type="str">M</Token> <Token id="ip_id" type="int">242</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="19" remport="7" name="DOS UDP echo+chargen bomb" sid="1084"/> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="7" remport="19" name="DOS UDP echo+chargen bomb" sid="1085"/> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="19" remport="7" name="DOS UDP echo+chargen bomb" sid="1086"/> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="7" remport="19" name="DOS UDP echo+chargen bomb" sid="1087"/> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="DOS IGMP dos attack" sid="1088"> <Token id="ip_frg" type="str">M+</Token> <Token id="ip_ptc" type="int">2</Token> <Token id="content" type="str" depth="2">\x02\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="DOS IGMP dos attack" sid="1092"> <Token id="ip_frg" type="str">M+</Token> <Token id="ip_ptc" type="int">2</Token> <Token id="content" type="str" depth="2">\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="DOS ath" sid="1096"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" nocase="1">+++ath</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="DOS NAPTHA" sid="1100"> <Token id="tcp_flg" type="str">S</Token> <Token id="ip_id" type="int">413</Token> <Token id="tcp_seq" type="int">6060842</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="DOS NAPTHA" sid="1101"> <Token id="tcp_flg" type="str">S</Token> <Token id="ip_id" type="int">413</Token> <Token id="tcp_seq" type="int">6060842</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7070" remport="*" name="DOS Real Audio Server" sid="1104"> <Token id="content" type="str">\xFF\xF4\xFF\xFD\x06</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7070" remport="*" name="DOS Real Server template.html" sid="1108"> <Token id="content" type="str" nocase="1">/viewsource/template.html?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8080" remport="*" name="DOS Real Server template.html" sid="1112"> <Token id="content" type="str" nocase="1">/viewsource/template.html?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="161" remport="*" name="DOS Bay/Nortel Nautica Marlin" sid="1116"> <Token id="dsize" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="9" remport="*" name="DOS Ascend Route" sid="1124"> <Token id="content" type="str" depth="50" offset="25">NAMENAME</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="617" remport="*" name="DOS arkiea backup" sid="1128"> <Token id="dsize" type="int" rel="greater">1445</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="135-139" remport="*" name="DOS Winnuke attack" sid="5028"> <Token id="tcp_flg" type="str">U+</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3372" remport="*" name="DOS MSDTC attempt" sid="5632"> <Token id="dsize" type="int" rel="greater">1023</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="DOS Cisco attempt" sid="6180"> <Token id="dsize" type="int">1</Token> <Token id="content" type="str">\x13</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6004" remport="*" name="DOS iParty DOS attempt" sid="6420"> <Token id="content" type="str">\xFF\xFF\xFF\xFF\xFF\xFF</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6789-6790" remport="*" name="DOS DB2 dos attempt" sid="6564"> <Token id="dsize" type="int">1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="DOS ISAKMP invalid identification payload attempt" sid="9944"> <Token id="content" type="str" depth="1" offset="16">\x05</Token> <Token id="byte_test" type="int" format="big" offset="30" oper="greater" size="2">4</Token> <Token id="byte_test" type="int" format="big" offset="30" oper="less" size="2">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="179" remport="*" name="DOS BGP spoofed connection reset attempt" sid="10092"> <Token id="tcp_flg" type="str">FSR*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="179" remport="*" name="DOS BGP spoofed connection reset attempt" sid="10093"> <Token id="tcp_flg" type="str">FSR*</Token> </Rule> </RuleList> <RuleList name="exploit.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="80" name="EXPLOIT Netscape 4.7 client overflow" sid="1132"> <Token id="content" type="str">3\xC9\xB1\x10?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="EXPLOIT x86 Linux samba overflow" sid="1168"> <Token id="content" type="str">\xEB/_\xEBJ^\x89\xFB\x89>\x89\xF2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2766" remport="*" name="EXPLOIT nlps x86 Solaris overflow" sid="1200"> <Token id="content" type="str">\xEB#^3\xC0\x88F\xFA\x89F\xF5\x896</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="515" remport="*" name="EXPLOIT LPRng overflow" sid="1204"> <Token id="content" type="str">C\a\x89[\b\x8DK\b\x89C\f\xB0\v\xCD\x801\xC0\xFE\xC0\xCD\x80\xE8\x94\xFF\xFF\xFF/bin/sh\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="515" remport="*" name="EXPLOIT Redhat 7.0 lprd overflow" sid="1208"> <Token id="content" type="str">XXXX%.172u%300$n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6373" remport="*" name="EXPLOIT SCO calserver overflow" sid="1216"> <Token id="content" type="str">\xEB\x7F]U\xFEM\x98\xFEM\x9B</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8080" remport="*" name="EXPLOIT delegate proxy overflow" sid="1220"> <Token id="dsize" type="int" rel="greater">1000</Token> <Token id="content" type="str" nocase="1">whois://</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="9090" remport="*" name="EXPLOIT VQServer admin" sid="1224"> <Token id="content" type="str" nocase="1">GET / HTTP/1.1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6666-7000" remport="*" name="EXPLOIT CHAT IRC topic overflow" sid="1228"> <Token id="content" type="str">\xEBK[S2\xE4\x83\xC3\vK\x88#\xB8Pw</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="21" name="EXPLOIT NextFTP client overflow" sid="1232"> <Token id="content" type="str">\xB4 \xB4!\x8B\xCC\x83\xE9\x04\x8B\x193\xC9f\xB9\x10</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="EXPLOIT sniffit overflow" sid="1236"> <Token id="dsize" type="int" rel="greater">512</Token> <Token id="tcp_flg" type="str">A+</Token> <Token id="content" type="str" nocase="1">from:\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="EXPLOIT x86 windows MailMax overflow" sid="1240"> <Token id="content" type="str">\xEBE\xEB [\xFC3\xC9\xB1\x82\x8B\xF3\x80+</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="80" name="EXPLOIT Netscape 4.7 unsucessful overflow" sid="1244"> <Token id="content" type="str">3\xC9\xB1\x10?\xE9\x06Q<\xFAG3\xC0P\xF7\xD0P</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="123" remport="*" name="EXPLOIT ntpdx overflow attempt" sid="1248"> <Token id="dsize" type="int" rel="greater">128</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="518" remport="*" name="EXPLOIT ntalkd x86 Linux overflow" sid="1252"> <Token id="content" type="str">\x01\x03\0\0\0\0\0\x01\0\x02\x02\xE8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="635" remport="*" name="EXPLOIT x86 Linux mountd overflow" sid="1260"> <Token id="content" type="str">^\xB0\x02\x89\x06\xFE\xC8\x89F\x04\xB0\x06\x89F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="635" remport="*" name="EXPLOIT x86 Linux mountd overflow" sid="1264"> <Token id="content" type="str">\xEBV^VVV1\xD2\x88V\v\x88V\x1E</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="635" remport="*" name="EXPLOIT x86 Linux mountd overflow" sid="1268"> <Token id="content" type="str">\xEB@^1\xC0@\x89F\x04\x89\xC3@\x89\x06</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2224" remport="*" name="EXPLOIT MDBMS overflow" sid="4960"> <Token id="content" type="str">\x011\xDB\xCD\x80\xE8[\xFF\xFF\xFF</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="4242" remport="*" name="EXPLOIT AIX pdnsd overflow" sid="5044"> <Token id="dsize" type="int" rel="greater">1000</Token> <Token id="content" type="str">\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx\x7F\xFF\xFBx</Token> <Token id="content" type="str">@\x8A\xFF\xC8@\x82\xFF\xD8;6\xFE\x03;v\xFE\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="4321" remport="*" name="EXPLOIT rwhoisd format string attempt" sid="5292"> <Token id="content" type="str">-soa %p</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="EXPLOIT ssh CRC32 overflow /bin/sh" sid="5296"> <Token id="content" type="str">/bin/sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="EXPLOIT ssh CRC32 overflow NOOP" sid="5304"> <Token id="content" type="str">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="EXPLOIT ssh CRC32 overflow" sid="5308"> <Token id="content" type="str" depth="7">\0\x01W\0\0\0\x18</Token> <Token id="content" type="str" depth="14" offset="8">\xFF\xFF\xFF\xFF\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="all" locport="*" remport="6666-7000" name="EXPLOIT CHAT IRC Ettercap parse overflow attempt" sid="5528"> <Token id="content" type="str" nocase="1">PRIVMSG</Token> <Token id="content" type="str" nocase="1">nickserv</Token> <Token id="content" type="str" nocase="1">IDENTIFY</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="all" remaddr_id="all" locport="6666-7000" remport="*" name="EXPLOIT CHAT IRC Ettercap parse overflow attempt" sid="5529"> <Token id="content" type="str" nocase="1">PRIVMSG</Token> <Token id="content" type="str" nocase="1">nickserv</Token> <Token id="content" type="str" nocase="1">IDENTIFY</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="6112" remport="*" name="EXPLOIT CDE dtspcd exploit attempt" sid="5592"> <Token id="content" type="str" depth="1" offset="10">1</Token> <Token id="content" type="str" complement="1" depth="3" offset="11">000</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="32772-34000" remport="*" name="EXPLOIT cachefsd buffer overflow attempt" sid="7004"> <Token id="dsize" type="int" rel="greater">720</Token> <Token id="content" type="str">\0\x01\x87\x86\0\0\0\x01\0\0\0\x05</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="EXPLOIT gobbles SSH exploit attempt" sid="7248"> <Token id="content" type="str">GOBBLES</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="515" remport="*" name="EXPLOIT LPD dvips remote command execution attempt" sid="7284"> <Token id="content" type="str">psfile=\"`</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="22" name="EXPLOIT SSH server banner overflow" sid="7352"> <Token id="content" type="str" nocase="1">SSH-</Token> <Token id="isdataat" type="int" rel="relative">200</Token> <Token id="pcre" type="str">=/^SSH-\s[^\n]{200}/ism</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="749" remport="*" name="EXPLOIT kadmind buffer overflow attempt" sid="7576"> <Token id="content" type="str">\0\xC0\x05\b\0\xC0\x05\b\0\xC0\x05\b\0\xC0\x05\b</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="751" remport="*" name="EXPLOIT kadmind buffer overflow attempt" sid="7580"> <Token id="content" type="str">\0\xC0\x05\b\0\xC0\x05\b\0\xC0\x05\b\0\xC0\x05\b</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="749" remport="*" name="EXPLOIT kadmind buffer overflow attempt" sid="7584"> <Token id="content" type="str">\xFF\xFFKADM0.0A\0\0\xFB\x03</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="751" remport="*" name="EXPLOIT kadmind buffer overflow attempt" sid="7588"> <Token id="content" type="str">\xFF\xFFKADM0.0A\0\0\xFB\x03</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="749" remport="*" name="EXPLOIT kadmind buffer overflow attempt" sid="7592"> <Token id="content" type="str">/shh//bi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="751" remport="*" name="EXPLOIT kadmind buffer overflow attempt" sid="7596"> <Token id="content" type="str">/shh//bi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1655" remport="*" name="EXPLOIT ebola PASS overflow attempt" sid="9276"> <Token id="content" type="str" nocase="1">PASS</Token> <Token id="pcre" type="str">=/^PASS\s[^\n]{49}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1655" remport="*" name="EXPLOIT ebola USER overflow attempt" sid="9280"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="pcre" type="str">=/^USER\s[^\n]{49}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP first payload certificate request length overflow attempt" sid="9504"> <Token id="byte_test" type="int" format="big" offset="24" oper="greater" size="4">2043</Token> <Token id="content" type="str" depth="1" offset="16">\a</Token> <Token id="byte_test" type="int" format="big" offset="30" oper="greater" size="2">2043</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP second payload certificate request length overflow attempt" sid="9508"> <Token id="byte_test" type="int" format="big" offset="24" oper="greater" size="4">2043</Token> <Token id="content" type="str" depth="1" offset="28">\a</Token> <Token id="byte_jump" type="int" format="big" offset="30">2</Token> <Token id="byte_test" type="int" format="big" offset="-2" oper="greater" relative="1" size="2">2043</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP third payload certificate request length overflow attempt" sid="9512"> <Token id="byte_test" type="int" format="big" offset="24" oper="greater" size="4">2043</Token> <Token id="byte_jump" type="int" format="big" offset="30" relative="1">2</Token> <Token id="content" type="str" distance="-4" within="1">\a</Token> <Token id="byte_jump" type="int" format="big" offset="1" relative="1">2</Token> <Token id="byte_test" type="int" format="big" offset="-2" oper="greater" relative="1" size="2">2043</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP forth payload certificate request length overflow attempt" sid="9516"> <Token id="byte_test" type="int" format="big" offset="24" oper="greater" size="4">2043</Token> <Token id="byte_jump" type="int" format="big" offset="30" relative="1">2</Token> <Token id="byte_jump" type="int" format="big" offset="-2" relative="1">2</Token> <Token id="content" type="str" distance="-4" within="1">\a</Token> <Token id="byte_jump" type="int" format="big" offset="1" relative="1">2</Token> <Token id="byte_test" type="int" format="big" offset="-2" oper="greater" relative="1" size="2">2043</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP fifth payload certificate request length overflow attempt" sid="9520"> <Token id="byte_test" type="int" format="big" offset="24" oper="greater" size="4">2043</Token> <Token id="byte_jump" type="int" format="big" offset="30" relative="1">2</Token> <Token id="byte_jump" type="int" format="big" offset="-2" relative="1">2</Token> <Token id="byte_jump" type="int" format="big" offset="-2" relative="1">2</Token> <Token id="content" type="str" distance="-4" within="1">\a</Token> <Token id="byte_jump" type="int" format="big" offset="1" relative="1">2</Token> <Token id="byte_test" type="int" format="big" offset="-2" oper="greater" relative="1" size="2">2043</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP delete hash with empty hash attempt" sid="9652"> <Token id="content" type="str" depth="1" offset="16">\b</Token> <Token id="content" type="str" depth="1" offset="28">\f</Token> <Token id="content" type="str" depth="2" offset="30">\0\x04</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP initial contact notification without SPI attempt" sid="9656"> <Token id="content" type="str" depth="1" offset="16">\v</Token> <Token id="content" type="str" depth="10" offset="30">\0\f\0\0\0\x01\x01\0\x06\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="EXPLOIT ISAKMP second payload initial contact notification without SPI attempt" sid="9660"> <Token id="content" type="str" depth="1" offset="28">\v</Token> <Token id="byte_jump" type="int" format="big" offset="30">2</Token> <Token id="content" type="str" distance="-2" within="10">\0\f\0\0\0\x01\x01\0`\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="4000" remport="*" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt" sid="9772"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_test" type="int" offset="18" oper="greater" relative="1" size="2">128</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="4000" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt" sid="9773"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_test" type="int" offset="18" oper="greater" relative="1" size="2">128</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="4000" remport="*" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt" sid="9776"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_jump" type="int" offset="18" relative="1">2</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">128</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="4000" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt" sid="9777"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_jump" type="int" offset="18" relative="1">2</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">128</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="4000" remport="*" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt" sid="9780"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">128</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_jump" type="int" offset="18" relative="1">2</Token> <Token id="byte_jump" type="int" relative="1">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="4000" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt" sid="9781"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">128</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_jump" type="int" offset="18" relative="1">2</Token> <Token id="byte_jump" type="int" relative="1">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="4000" remport="*" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt" sid="9784"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="byte_jump" type="int" relative="1">2</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">128</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_jump" type="int" offset="18" relative="1">2</Token> <Token id="byte_jump" type="int" relative="1">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="4000" name="EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt" sid="9785"> <Token id="content" type="str" depth="2">\x05\0</Token> <Token id="byte_jump" type="int" relative="1">2</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">128</Token> <Token id="content" type="str" distance="5" within="2">\x12\x02</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="1">1</Token> <Token id="content" type="str" distance="0">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">n\0</Token> <Token id="content" type="str">\x05\0</Token> <Token id="content" type="str" distance="5" within="2">\xDE\x03</Token> <Token id="byte_jump" type="int" offset="18" relative="1">2</Token> <Token id="byte_jump" type="int" relative="1">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="EXPLOIT IGMP IGAP account overflow attempt" sid="9848"> <Token id="ip_ptc" type="int">2</Token> <Token id="byte_test" type="int" format="big" oper="greater" size="1">63</Token> <Token id="byte_test" type="int" format="big" oper="less" size="1">67</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" size="1">16</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="EXPLOIT IGMP IGAP account overflow attempt" sid="9849"> <Token id="ip_ptc" type="int">2</Token> <Token id="byte_test" type="int" format="big" oper="greater" size="1">63</Token> <Token id="byte_test" type="int" format="big" oper="less" size="1">67</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" size="1">16</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="EXPLOIT IGMP IGAP message overflow attempt" sid="9852"> <Token id="ip_ptc" type="int">2</Token> <Token id="byte_test" type="int" format="big" oper="greater" size="1">63</Token> <Token id="byte_test" type="int" format="big" oper="less" size="1">67</Token> <Token id="byte_test" type="int" format="big" offset="13" oper="greater" size="1">64</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="EXPLOIT IGMP IGAP message overflow attempt" sid="9853"> <Token id="ip_ptc" type="int">2</Token> <Token id="byte_test" type="int" format="big" oper="greater" size="1">63</Token> <Token id="byte_test" type="int" format="big" oper="less" size="1">67</Token> <Token id="byte_test" type="int" format="big" offset="13" oper="greater" size="1">64</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="EXPLOIT EIGRP prefix length overflow attempt" sid="9856"> <Token id="ip_ptc" type="int">88</Token> <Token id="byte_test" type="int" format="big" offset="44" oper="greater" size="1">32</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="EXPLOIT EIGRP prefix length overflow attempt" sid="9857"> <Token id="ip_ptc" type="int">88</Token> <Token id="byte_test" type="int" format="big" offset="44" oper="greater" size="1">32</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="EXPLOIT esignal STREAMQUOTE buffer overflow attempt" sid="9956"> <Token id="content" type="str" nocase="1"><STREAMQUOTE></Token> <Token id="isdataat" type="int" rel="relative">1024</Token> <Token id="content" type="str" complement="1" nocase="1" within="1054"></STREAMQUOTE></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="EXPLOIT esignal SNAPQUOTE buffer overflow attempt" sid="9960"> <Token id="content" type="str" nocase="1"><SNAPQUOTE></Token> <Token id="isdataat" type="int" rel="relative">1024</Token> <Token id="content" type="str" complement="1" nocase="1" within="1052"></SNAPQUOTE></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="548" remport="*" name="EXPLOIT AFP FPLoginExt username buffer overflow attempt" sid="10180"> <Token id="content" type="str" depth="2">\0\x02</Token> <Token id="content" type="str" distance="14" within="1">?</Token> <Token id="content" type="str" nocase="1">cleartxt passwrd</Token> <Token id="byte_jump" type="int" format="big" offset="1" relative="1">2</Token> <Token id="byte_jump" type="int" format="big" offset="1" relative="1">2</Token> <Token id="isdataat" type="int" rel="relative">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="80" name="EXPLOIT winamp XM module name overflow" sid="10200"> <Token id="content" type="str" nocase="1">Extended module:</Token> <Token id="isdataat" type="int" rel="relative">20</Token> <Token id="content" type="str" complement="1" within="21">\x1A</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache GET overflow attempt" sid="10204"> <Token id="content" type="str">GET</Token> <Token id="pcre" type="str">=/^GET[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache HEAD overflow attempt" sid="10208"> <Token id="content" type="str">HEAD</Token> <Token id="pcre" type="str">=/^HEAD[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache PUT overflow attempt" sid="10212"> <Token id="content" type="str">PUT</Token> <Token id="pcre" type="str">=/^PUT[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache POST overflow attempt" sid="10216"> <Token id="content" type="str">POST</Token> <Token id="pcre" type="str">=/^POST[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache TRACE overflow attempt" sid="10220"> <Token id="content" type="str">TRACE</Token> <Token id="pcre" type="str">=/^TRACE[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache DELETE overflow attempt" sid="10224"> <Token id="content" type="str">DELETE</Token> <Token id="pcre" type="str">=/^DELETE[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache LOCK overflow attempt" sid="10228"> <Token id="content" type="str">LOCK</Token> <Token id="pcre" type="str">=/^LOCK[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache MKCOL overflow attempt" sid="10232"> <Token id="content" type="str">MKCOL</Token> <Token id="pcre" type="str">=/^MKCOL[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache COPY overflow attempt" sid="10236"> <Token id="content" type="str">COPY</Token> <Token id="pcre" type="str">=/^COPY[^s]{432}/sm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7777-7778" remport="*" name="EXPLOIT Oracle Web Cache MOVE overflow attempt" sid="10240"> <Token id="content" type="str">MOVE</Token> <Token id="pcre" type="str">=/^MOVE[^s]{432}/sm</Token> </Rule> </RuleList> <RuleList name="pop2.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="109" remport="*" name="POP2 x86 Linux overflow" sid="1136"> <Token id="content" type="str">\xEB,[\x89\xD9\x80\xC1\x069\xD9|\a\x80\x01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="109" remport="*" name="POP2 x86 Linux overflow" sid="1140"> <Token id="content" type="str">\xFF\xFF\xFF/BIN/SH\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="109" remport="*" name="POP2 FOLD overflow attempt" sid="7736"> <Token id="isdataat" type="int" rel="relative">256</Token> <Token id="content" type="str">FOLD</Token> <Token id="pcre" type="str">=/^FOLD\s[^\n]{256}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="109" remport="*" name="POP2 FOLD arbitrary file attempt" sid="7740"> <Token id="pcre" type="str">=/^FOLD\s+\//smi</Token> <Token id="content" type="str">FOLD</Token> </Rule> </RuleList> <RuleList name="pop3.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 EXPLOIT x86 BSD overflow" sid="1144"> <Token id="content" type="str">^\x0E1\xC0\xB0;\x8D~\x0E\x89\xFA\x89\xF9</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 EXPLOIT x86 BSD overflow" sid="1148"> <Token id="content" type="str">h]^\xFF\xD5\xFF\xD4\xFF\xF5\x8B\xF5\x90f1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 EXPLOIT x86 Linux overflow" sid="1152"> <Token id="content" type="str">\xD8@\xCD\x80\xE8\xD9\xFF\xFF\xFF/bin/sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 EXPLOIT x86 SCO overflow" sid="1156"> <Token id="content" type="str">V\x0E1\xC0\xB0;\x8D~\x12\x89\xF9\x89\xF9</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 EXPLOIT qpopper overflow" sid="1160"> <Token id="content" type="str">\xE8\xD9\xFF\xFF\xFF/bin/sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 PASS overflow attempt" sid="6536"> <Token id="content" type="str" nocase="1">PASS</Token> <Token id="isdataat" type="int" rel="relative">50</Token> <Token id="pcre" type="str">=/^PASS\s[^\n]{50}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 APOP overflow attempt" sid="6540"> <Token id="content" type="str" nocase="1">APOP</Token> <Token id="isdataat" type="int" rel="relative">256</Token> <Token id="pcre" type="str">=/^APOP\s[^\n]{256}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 USER overflow attempt" sid="7464"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="isdataat" type="int" rel="relative">50</Token> <Token id="pcre" type="str">=/^USER\s[^\n]{50,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 AUTH overflow attempt" sid="7744"> <Token id="content" type="str" nocase="1">AUTH</Token> <Token id="isdataat" type="int" rel="relative">50</Token> <Token id="pcre" type="str">=/^AUTH\s[^\n]{50}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 LIST overflow attempt" sid="7748"> <Token id="content" type="str" nocase="1">LIST</Token> <Token id="isdataat" type="int" rel="relative">10</Token> <Token id="pcre" type="str">=/^LIST\s[^\n]{10}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 XTND overflow attempt" sid="7752"> <Token id="content" type="str" nocase="1">XTND</Token> <Token id="isdataat" type="int" rel="relative">50</Token> <Token id="pcre" type="str">=/^XTND\s[^\n]{50}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 CAPA overflow attempt" sid="8432"> <Token id="content" type="str" nocase="1">CAPA</Token> <Token id="isdataat" type="int" rel="relative">10</Token> <Token id="pcre" type="str">=/^CAPA\s[^\n]{10}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 TOP overflow attempt" sid="8436"> <Token id="content" type="str" nocase="1">TOP</Token> <Token id="isdataat" type="int" rel="relative">10</Token> <Token id="pcre" type="str">=/^TOP\s[^\n]{10}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 STAT overflow attempt" sid="8440"> <Token id="content" type="str" nocase="1">STAT</Token> <Token id="isdataat" type="int" rel="relative">10</Token> <Token id="pcre" type="str">=/^STAT\s[^\n]{10}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 DELE overflow attempt" sid="8444"> <Token id="content" type="str" nocase="1">DELE</Token> <Token id="isdataat" type="int" rel="relative">10</Token> <Token id="pcre" type="str">=/^DELE\s[^\n]{10}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 RSET overflow attempt" sid="8448"> <Token id="content" type="str" nocase="1">RSET</Token> <Token id="isdataat" type="int" rel="relative">10</Token> <Token id="pcre" type="str">=/^RSET\s[^\n]{10}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 DELE negative arguement attempt" sid="8484"> <Token id="content" type="str" nocase="1">DELE</Token> <Token id="pcre" type="str">=/^DELE\s+-\d/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 UIDL negative arguement attempt" sid="8488"> <Token id="content" type="str" nocase="1">UIDL</Token> <Token id="pcre" type="str">=/^UIDL\s+-\d/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 USER format string attempt" sid="9000"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="content" type="str" distance="1">%</Token> <Token id="content" type="str" distance="1">%</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="110" remport="*" name="POP3 APOP USER overflow attempt" sid="9636"> <Token id="content" type="str" nocase="1">APOP</Token> <Token id="isdataat" type="int" rel="relative">256</Token> <Token id="pcre" type="str">=/^APOP\s+USER\s[^\n]{256}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="995" remport="*" name="POP3 SSLv3 invalid timestamp attempt" sid="10004"> <Token id="content" type="str" depth="2">\x16\x03</Token> <Token id="content" type="str" depth="1" offset="5">\x01</Token> <Token id="byte_test" type="int" format="big" offset="5" oper="greater" relative="1" size="4">2147483647</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="995" remport="*" name="POP3 SSLv3 invalid data version attempt" sid="10008"> <Token id="content" type="str" depth="2">\x16\x03</Token> <Token id="content" type="str" depth="1" offset="5">\x01</Token> <Token id="content" type="str" complement="1" depth="1" offset="9">\x03</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="995" remport="*" name="PO3 PCT Client_Hello overflow attempt" sid="10072"> <Token id="content" type="str" depth="1" offset="2">\x01</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">16</Token> <Token id="byte_test" type="int" format="big" offset="10" oper="greater" size="2">20</Token> <Token id="content" type="str" depth="1" offset="11">\x8F</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="2">32768</Token> </Rule> </RuleList> <RuleList name="finger.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER cmd_rootsh backdoor attempt" sid="1280"> <Token id="content" type="str">cmd_rootsh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER account enumeration attempt" sid="1284"> <Token id="content" type="str" nocase="1">a b c d e f</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER search query" sid="1288"> <Token id="content" type="str">search</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER root query" sid="1292"> <Token id="content" type="str">root</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER null request" sid="1296"> <Token id="content" type="str">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER remote command execution attempt" sid="1304"> <Token id="content" type="str">;</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER remote command pipe execution attempt" sid="1308"> <Token id="content" type="str">|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER bomb attempt" sid="1312"> <Token id="content" type="str">@@</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER redirection attempt" sid="1320"> <Token id="content" type="str">@</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER cybercop query" sid="1324"> <Token id="content" type="str" depth="10">\n </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER 0 query" sid="1328"> <Token id="content" type="str">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER . query" sid="1332"> <Token id="content" type="str">.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="79" remport="*" name="FINGER version query" sid="6164"> <Token id="content" type="str">version</Token> </Rule> </RuleList> <RuleList name="icmp-info.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP IRDP router advertisement" sid="1452" enabled="0"> <Token id="icmp_type" type="int">9</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP IRDP router selection" sid="1456" enabled="0"> <Token id="icmp_type" type="int">10</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING undefined code" sid="1460" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING *NIX" sid="1464" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING BSDtype" sid="1472" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\b\t\n\v\f\r\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING BayRS Router" sid="1476" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\x01\x02\x03\x04\x05\x06\a\b\t\n\v\f\r\x0E\x0F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING BeOS4.x" sid="1480" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\0\0\0\0\0\0\0\0\0\0\0\0\b\t\n\v</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Cisco Type.x" sid="1484" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\xAB\xCD\xAB\xCD\xAB\xCD\xAB\xCD\xAB\xCD\xAB\xCD\xAB\xCD\xAB\xCD</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Delphi-Piette Windows" sid="1488" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">Pinging from Del</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Flowpoint2200 or Network Management Software" sid="1492" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\x01\x02\x03\x04\x05\x06\a\b\t\n\v\f\r\x0E\x0F\x10</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING IP NetMonitor Macintosh" sid="1496" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\xA9 Sustainable So</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING LINUX/*BSD" sid="1500" enabled="0"> <Token id="dsize" type="int">8</Token> <Token id="ip_id" type="int">13170</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Microsoft Windows" sid="1504" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">0123456789abcdefghijklmnop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Network Toolbox 3 Windows" sid="1508" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">================</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Ping-O-MeterWindows" sid="1512" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">OMeterObeseArmad</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Pinger Windows" sid="1516" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">Data\0\0\0\0\0\0\0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Seer Windows" sid="1520" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\x88\x04 </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Sun Solaris" sid="1524" enabled="0"> <Token id="dsize" type="int">8</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Windows" sid="1528" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="16">abcdefghijklmnop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING" sid="1536" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP traceroute" sid="1540" enabled="0"> <Token id="icmp_type" type="int">8</Token> <Token id="ip_ttl" type="int">1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Address Mask Reply" sid="1544" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">18</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Address Mask Reply undefined code" sid="1548" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">18</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Address Mask Request" sid="1552" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">17</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Address Mask Request undefined code" sid="1556" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">17</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Alternate Host Address" sid="1560" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">6</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Alternate Host Address undefined code" sid="1564" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">6</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Datagram Conversion Error" sid="1568" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">31</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Datagram Conversion Error undefined code" sid="1572" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">31</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Destination Host Unknown" sid="1576" enabled="0"> <Token id="icmp_code" type="int">7</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Destination Network Unknown" sid="1580" enabled="0"> <Token id="icmp_code" type="int">6</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Fragmentation Needed and DF bit was set" sid="1584" enabled="0"> <Token id="icmp_code" type="int">4</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Host Precedence Violation" sid="1588" enabled="0"> <Token id="icmp_code" type="int">14</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Host Unreachable for Type of Service" sid="1592" enabled="0"> <Token id="icmp_code" type="int">12</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Host Unreachable" sid="1596" enabled="0"> <Token id="icmp_code" type="int">1</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Network Unreachable for Type of Service" sid="1600" enabled="0"> <Token id="icmp_code" type="int">11</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Network Unreachable" sid="1604" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Port Unreachable" sid="1608" enabled="0"> <Token id="icmp_code" type="int">3</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Precedence Cutoff in effect" sid="1612" enabled="0"> <Token id="icmp_code" type="int">15</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Protocol Unreachable" sid="1616" enabled="0"> <Token id="icmp_code" type="int">2</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Source Host Isolated" sid="1620" enabled="0"> <Token id="icmp_code" type="int">8</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable Source Route Failed" sid="1624" enabled="0"> <Token id="icmp_code" type="int">5</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Destination Unreachable cndefined code" sid="1628" enabled="0"> <Token id="icmp_code" type="int" rel="greater">15</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Echo Reply" sid="1632" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Echo Reply undefined code" sid="1636" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Fragment Reassembly Time Exceeded" sid="1640" enabled="0"> <Token id="icmp_code" type="int">1</Token> <Token id="icmp_type" type="int">11</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP IPV6 I-Am-Here" sid="1644" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">34</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP IPV6 I-Am-Here undefined code" sid="1648" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">34</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP IPV6 Where-Are-You" sid="1652" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">33</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP IPV6 Where-Are-You undefined code" sid="1656" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">33</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Information Reply" sid="1660" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">16</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Information Reply undefined code" sid="1664" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">16</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Information Request" sid="1668" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">15</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Information Request undefined code" sid="1672" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">15</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Mobile Host Redirect" sid="1676" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">32</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Mobile Host Redirect undefined code" sid="1680" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">32</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Mobile Registration Reply" sid="1684" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">36</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Mobile Registration Reply undefined code" sid="1688" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">36</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Mobile Registration Request" sid="1692" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">35</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Mobile Registration Request undefined code" sid="1696" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">35</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Parameter Problem Bad Length" sid="1700" enabled="0"> <Token id="icmp_code" type="int">2</Token> <Token id="icmp_type" type="int">12</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Parameter Problem Missing a Required Option" sid="1704" enabled="0"> <Token id="icmp_code" type="int">1</Token> <Token id="icmp_type" type="int">12</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Parameter Problem Unspecified Error" sid="1708" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">12</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Parameter Problem undefined Code" sid="1712" enabled="0"> <Token id="icmp_code" type="int" rel="greater">2</Token> <Token id="icmp_type" type="int">12</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Photuris Reserved" sid="1716" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">40</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Photuris Unknown Security Parameters Index" sid="1720" enabled="0"> <Token id="icmp_code" type="int">1</Token> <Token id="icmp_type" type="int">40</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Photuris Valid Security Parameters, But Authentication Failed" sid="1724" enabled="0"> <Token id="icmp_code" type="int">2</Token> <Token id="icmp_type" type="int">40</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Photuris Valid Security Parameters, But Decryption Failed" sid="1728" enabled="0"> <Token id="icmp_code" type="int">3</Token> <Token id="icmp_type" type="int">40</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Photuris undefined code!" sid="1732" enabled="0"> <Token id="icmp_code" type="int" rel="greater">3</Token> <Token id="icmp_type" type="int">40</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Redirect for TOS and Host" sid="1744" enabled="0"> <Token id="icmp_code" type="int">3</Token> <Token id="icmp_type" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Redirect for TOS and Network" sid="1748" enabled="0"> <Token id="icmp_code" type="int">2</Token> <Token id="icmp_type" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Redirect undefined code" sid="1752" enabled="0"> <Token id="icmp_code" type="int" rel="greater">3</Token> <Token id="icmp_type" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Reserved for Security Type 19" sid="1756" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Reserved for Security Type 19 undefined code" sid="1760" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Router Advertisement" sid="1764" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">9</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Router Selection" sid="1772" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">10</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP SKIP" sid="1780" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">39</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP SKIP undefined code" sid="1784" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">39</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Source Quench undefined code" sid="1792" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">4</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Time-To-Live Exceeded in Transit" sid="1796" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">11</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Time-To-Live Exceeded in Transit undefined code" sid="1800" enabled="0"> <Token id="icmp_code" type="int" rel="greater">1</Token> <Token id="icmp_type" type="int">11</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Timestamp Reply" sid="1804" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">14</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Timestamp Reply undefined code" sid="1808" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">14</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Timestamp Request" sid="1812" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">13</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Timestamp Request undefined code" sid="1816" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">13</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Traceroute" sid="1824" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">30</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Traceroute undefined code" sid="1828" enabled="0"> <Token id="icmp_code" type="int" rel="greater">0</Token> <Token id="icmp_type" type="int">30</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP unassigned type 1" sid="1832" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP unassigned type 1 undefined code" sid="1836" enabled="0"> <Token id="icmp_type" type="int">1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP unassigned type 2" sid="1840" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP unassigned type 2 undefined code" sid="1844" enabled="0"> <Token id="icmp_type" type="int">2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP unassigned type 7" sid="1848" enabled="0"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">7</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP unassigned type 7 undefined code" sid="1852" enabled="0"> <Token id="icmp_type" type="int">7</Token> </Rule> </RuleList> <RuleList name="icmp.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP ISS Pinger" sid="1860"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">ISSPNGRQ</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP L3retriever Ping" sid="1864"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Nemesis v1.1 Echo" sid="1868"> <Token id="dsize" type="int">20</Token> <Token id="echo_id" type="int">0</Token> <Token id="echo_seq" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str">\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING NMAP" sid="1876"> <Token id="dsize" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP icmpenum v1.1.1" sid="1884"> <Token id="dsize" type="int">0</Token> <Token id="echo_id" type="int">666</Token> <Token id="echo_seq" type="int">0</Token> <Token id="ip_id" type="int">666</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP redirect host" sid="1888"> <Token id="icmp_code" type="int">1</Token> <Token id="icmp_type" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP redirect net" sid="1892"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP superscan echo" sid="1896"> <Token id="dsize" type="int">8</Token> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str">\0\0\0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP traceroute ipopts" sid="1900"> <Token id="ip_opt" type="int">0</Token> <Token id="icmp_type" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP webtrends scanner" sid="1904"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str">\0\0\0\0EEEEEEEEEEEE</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Source Quench" sid="1908"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">4</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Broadscan Smurf Scanner" sid="1912"> <Token id="dsize" type="int">4</Token> <Token id="echo_id" type="int">0</Token> <Token id="echo_seq" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING speedera" sid="1920"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="100">89:;<=>?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP TJPingPro1.1Build 2 Windows" sid="1924"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">TJPingPro by Jim</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING WhatsupGold Windows" sid="1928"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">WhatsUp - A Netw</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING CyberKit 2.2 Windows" sid="1932"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP PING Sniffer Pro/NetXRay network scan" sid="1936"> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str" depth="32">Cinco Network, Inc.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="all" remaddr_id="all" name="ICMP Destination Unreachable Communication Administratively Prohibited" sid="1940"> <Token id="icmp_code" type="int">13</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="all" remaddr_id="all" name="ICMP Destination Unreachable Communication Administratively Prohibited" sid="1941"> <Token id="icmp_code" type="int">13</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="all" remaddr_id="all" name="ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited" sid="1944"> <Token id="icmp_code" type="int">10</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="all" remaddr_id="all" name="ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited" sid="1945"> <Token id="icmp_code" type="int">10</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="icmp" locaddr_id="all" remaddr_id="all" name="ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited" sid="1948"> <Token id="icmp_code" type="int">9</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="all" remaddr_id="all" name="ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited" sid="1949"> <Token id="icmp_code" type="int">9</Token> <Token id="icmp_type" type="int">3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP Large ICMP Packet" sid="1996"> <Token id="dsize" type="int" rel="greater">800</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="ICMP digital island bandwidth query" sid="7252"> <Token id="content" type="str" depth="22">mailto:ops@digisle.com</Token> </Rule> </RuleList> <RuleList name="info.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="80" name="INFO Connection Closed MSG from Port 80" sid="1952" enabled="0"> <Token id="content" type="str" nocase="1">Connection closed by foreign host</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="INFO FTP no password" sid="1956" enabled="0"> <Token id="content" type="str" nocase="1">PASS</Token> <Token id="pcre" type="str">=/^PASS\s*\n/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="INFO battle-mail traffic" sid="1960" enabled="0"> <Token id="content" type="str">BattleMail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="INFO FTP Bad login" sid="1964" enabled="0"> <Token id="content" type="str">530 </Token> <Token id="pcre" type="str">=/^530\s+(Login|User)/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="23" remport="*" name="INFO TELNET Bad Login" sid="1968" enabled="0"> <Token id="content" type="str" nocase="1">Login failed</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="INFO psyBNC access" sid="1972" enabled="0"> <Token id="content" type="str">Welcome!psyBNC@lam3rz.de</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="23" remport="*" name="INFO TELNET Bad Login" sid="5004" enabled="0"> <Token id="content" type="str" nocase="1">Login incorrect</Token> </Rule> </RuleList> <RuleList name="attack-responses.rules"> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="ATTACK-RESPONSES command completed" sid="1976"> <Token id="content" type="str" nocase="1">Command completed</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="ATTACK-RESPONSES command error" sid="1980"> <Token id="content" type="str" nocase="1">Bad command or filename</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="ATTACK-RESPONSES file copied ok" sid="1988"> <Token id="content" type="str" nocase="1">1 file(s) copied</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="ATTACK-RESPONSES id check returned root" sid="1992"> <Token id="content" type="str">uid=0(root)</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="ATTACK-RESPONSES id check returned root" sid="1993"> <Token id="content" type="str">uid=0(root)</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="ATTACK-RESPONSES Invalid URL" sid="4800"> <Token id="content" type="str" nocase="1">Invalid URL</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="ATTACK-RESPONSES 403 Forbidden" sid="4804"> <Token id="content" type="str" depth="12">HTTP/1.1 403</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="ATTACK-RESPONSES directory listing" sid="5168"> <Token id="content" type="str">Volume Serial Number</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8002" remport="*" name="ATTACK-RESPONSES oracle one hour install" sid="5856"> <Token id="content" type="str">Oracle Applications One-Hour Install</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="ATTACK-RESPONSES index of /cgi-bin/ response" sid="6664"> <Token id="content" type="str" nocase="1">Index of /cgi-bin/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE" sid="7240"> <Token id="content" type="str">*GOBBLE*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="ATTACK-RESPONSES successful gobbles ssh exploit uname" sid="7244"> <Token id="content" type="str">uname</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="ATTACK-RESPONSES id check returned userid" sid="7528"> <Token id="content" type="str">uid=</Token> <Token id="byte_test" type="int" format="like-c" oper="less" relative="1" size="5">65537</Token> <Token id="content" type="str" within="15"> gid=</Token> <Token id="byte_test" type="int" format="like-c" oper="less" relative="1" size="5">65537</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="749" remport="*" name="ATTACK-RESPONSES successful kadmind buffer overflow attempt" sid="7600"> <Token id="content" type="str" depth="8">*GOBBLE*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="751" remport="*" name="ATTACK-RESPONSES successful kadmind buffer overflow attempt" sid="7604"> <Token id="content" type="str" depth="8">*GOBBLE*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="512" remport="*" name="ATTACK-RESPONSES rexec username too long response" sid="8416"> <Token id="content" type="str" depth="17">username too long</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="!21-23" remport="*" name="ATTACK-RESPONSES Microsoft cmd.exe banner" sid="8492"> <Token id="content" type="str">Microsoft Windows</Token> <Token id="content" type="str" distance="0">(C) Copyright 1985-</Token> <Token id="content" type="str" distance="0">Microsoft Corp.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="ATTACK-RESPONSES successful cross site scripting forced download attempt" sid="9648"> <Token id="content" type="str">\nReferer: res:/C:</Token> </Rule> </RuleList> <RuleList name="misc.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="MISC source route lssr" sid="2000"> <Token id="ip_opt" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="MISC source route lssre" sid="2004"> <Token id="ip_opt" type="int">5</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="MISC source route ssrr" sid="2008"> <Token id="ip_opt" type="int">6</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="0-1023" remport="20" name="MISC Source Port 20 to <1024" sid="2012"> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="0-1023" remport="53" name="MISC source port 53 to <1024" sid="2016"> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1417" remport="*" name="MISC Insecure TIMBUKTU Password" sid="2020"> <Token id="content" type="str" depth="16">\x05\0></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="5631" remport="*" name="MISC PCAnywhere Attempted Administrator Login" sid="2028"> <Token id="content" type="str">ADMINISTRATOR</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="70" remport="*" name="MISC gopher proxy" sid="2032"> <Token id="content" type="str" nocase="1">ftp:</Token> <Token id="content" type="str">@/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="5631-5632" remport="*" name="MISC PCAnywhere Failed Login" sid="2048"> <Token id="content" type="str" depth="16">Invalid login</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7161" remport="*" name="MISC Cisco Catalyst Remote Access" sid="2052"> <Token id="tcp_flg" type="str" mask="12">SA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="27374" name="MISC ramen worm" sid="2056"> <Token id="content" type="str" depth="8" nocase="1">GET </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="161" remport="*" name="MISC SNMP NT UserList" sid="2064"> <Token id="content" type="str">+\x06\x10@\x14\xD1\x02\x19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="177" remport="*" name="MISC xdmcp query" sid="2068"> <Token id="content" type="str">\0\x01\0\x03\0\x01\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="MISC Tiny Fragments" sid="2088"> <Token id="dsize" type="int" rel="less">25</Token> <Token id="ip_frg" type="str">M</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1900" remport="*" name="MISC UPnP malformed advertisement" sid="5536"> <Token id="content" type="str" nocase="1">NOTIFY * </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1900" remport="*" name="MISC UPnP Location overflow" sid="5552"> <Token id="content" type="str" nocase="1">Location:</Token> <Token id="pcre" type="str">=/^Location\:[^\n]{128}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="aim_servers" locport="*" remport="*" name="MISC AIM AddGame attempt" sid="5572"> <Token id="content" type="str" nocase="1">aim:AddGame?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3389" remport="*" name="MISC MS Terminal server request RDP" sid="5788"> <Token id="content" type="str" depth="11">\x03\0\0\v\x06\xE0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3389" remport="*" name="MISC MS Terminal server request" sid="5792"> <Token id="content" type="str" depth="3">\x03\0\0</Token> <Token id="content" type="str" depth="6" offset="5">\xE0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="7001" remport="*" name="MISC AFS access" sid="6016"> <Token id="content" type="str">\0\0\x03\xE7\0\0\0\0\0\0\0e\0\0\0\0\0\0\0\0\r\x05\0\0\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="32000" remport="*" name="MISC Xtramail Username overflow attempt" sid="6544"> <Token id="dsize" type="int" rel="greater">500</Token> <Token id="content" type="str" nocase="1">Username:</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="pcre" type="str">=/^Username\:[^\n]{100}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="aim_servers" locport="*" remport="*" name="MISC AIM AddExternalApp attempt" sid="7008"> <Token id="content" type="str" nocase="1">aim:AddExternalApp?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2533" remport="*" name="MISC Alcatel PABX 4400 connection attempt" sid="7276"> <Token id="content" type="str" depth="3">\0\x01C</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="177" remport="*" name="MISC xdmcp info query" sid="7468"> <Token id="content" type="str">\0\x01\0\x02\0\x01\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="443" remport="*" name="MISC OpenSSL Worm traffic" sid="7548"> <Token id="content" type="str" nocase="1">TERM=xterm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="http_servers" remaddr_id="external_net" locport="2002" remport="2002" name="MISC slapper worm admin traffic" sid="7556"> <Token id="content" type="str" depth="10">\0\0E\0\0E\0\0@\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="67" remport="*" name="MISC bootp hardware address length overflow" sid="7756"> <Token id="content" type="str" depth="1">\x01</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="1">6</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="67" remport="*" name="MISC bootp invalid hardware type" sid="7760"> <Token id="content" type="str" depth="1">\x01</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="greater" size="1">7</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="27155" remport="*" name="MISC GlobalSunTech Access Point Information Disclosure attempt" sid="7864"> <Token id="content" type="str">gstsearch</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="7100" remport="*" name="MISC xfs overflow attempt" sid="7948"> <Token id="dsize" type="int" rel="greater">512</Token> <Token id="content" type="str" depth="3">B\0\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS invalid user authentication response" sid="8032"> <Token id="content" type="str">E Fatal error, aborting.</Token> <Token id="content" type="str">: no such user</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS invalid repository response" sid="8036"> <Token id="content" type="str">error </Token> <Token id="content" type="str">: no such repository</Token> <Token id="content" type="str">I HATE YOU</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS double free exploit attempt response" sid="8040"> <Token id="content" type="str">free(): warning: chunk is already free</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS invalid directory response" sid="8044"> <Token id="content" type="str">E protocol error: invalid directory syntax in</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS missing cvsroot response" sid="8048"> <Token id="content" type="str">E protocol error: Root request missing</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS invalid module response" sid="8052"> <Token id="content" type="str">cvs server: cannot find module</Token> <Token id="content" type="str" distance="1">error</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="67" remport="*" name="MISC bootp hostname format string attempt" sid="8156"> <Token id="content" type="str" depth="1">\x01</Token> <Token id="content" type="str" distance="240">\f</Token> <Token id="content" type="str" distance="0">%</Token> <Token id="content" type="str" distance="1" within="8">%</Token> <Token id="content" type="str" distance="1" within="8">%</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="49" remport="*" name="MISC xtacacs failed login response" sid="8164"> <Token id="content" type="str" depth="2">\x80\x02</Token> <Token id="content" type="str" distance="4">\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="500" name="MISC isakmp login failed" sid="8172"> <Token id="content" type="str" depth="2" offset="17">\x10\x05</Token> <Token id="content" type="str" distance="13" within="8">\0\0\0\x01\x01\0\0\x18</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="873" remport="*" name="MISC rsyncd module list access" sid="8188"> <Token id="content" type="str" depth="5">#list</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="873" remport="*" name="MISC rsyncd overflow attempt" sid="8192"> <Token id="byte_test" type="int" format="big" oper="greater" size="2">4000</Token> <Token id="content" type="str" depth="2" offset="2">\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1723" remport="*" name="MISC Microsoft PPTP Start Control Request buffer overflow attempt" sid="8504"> <Token id="dsize" type="int" rel="greater">156</Token> <Token id="content" type="str" depth="2" offset="2">\0\x01</Token> <Token id="content" type="str" depth="2" offset="8">\0\x01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="all" remaddr_id="all" locport="*" remport="179" name="MISC BGP invalid length" sid="8632"> <Token id="content" type="str">\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF</Token> <Token id="byte_test" type="int" format="big" oper="less" relative="1" size="2">19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="all" locport="179" remport="*" name="MISC BGP invalid length" sid="8633"> <Token id="content" type="str">\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF</Token> <Token id="byte_test" type="int" format="big" oper="less" relative="1" size="2">19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="all" locport="*" remport="179" name="MISC BGP invalid length" sid="8634"> <Token id="content" type="str">\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF</Token> <Token id="byte_test" type="int" format="big" oper="less" relative="1" size="2">19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="all" remaddr_id="all" locport="179" remport="*" name="MISC BGP invalid length" sid="8635"> <Token id="content" type="str">\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF</Token> <Token id="byte_test" type="int" format="big" oper="less" relative="1" size="2">19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="179" remport="*" name="MISC BGP invalid type 0" sid="8636"> <Token id="content" type="str" depth="16">\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF</Token> <Token id="content" type="str" distance="2" within="1">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="179" remport="*" name="MISC BGP invalid type 0" sid="8637"> <Token id="content" type="str" depth="16">\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF</Token> <Token id="content" type="str" distance="2" within="1">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS non-relative path error response" sid="9268"> <Token id="content" type="str">E cvs server: warning: cannot make directory CVS in /</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2401" remport="*" name="MISC CVS non-relative path access attempt" sid="9272"> <Token id="content" type="str">Argument</Token> <Token id="pcre" type="str">=m?^Argument\s+/?smi</Token> <Token id="pcre" type="str">=/^Directory/smiR</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3389" remport="*" name="MISC MS Terminal Server no encryption session initiation attmept" sid="9672"> <Token id="content" type="str" depth="3">\x03\0\x01</Token> <Token id="content" type="str" depth="1" offset="288">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="636" remport="*" name="MISC LDAP SSLv3 invalid data version attempt" sid="10000"> <Token id="content" type="str" depth="2">\x16\x03</Token> <Token id="content" type="str" depth="1" offset="5">\x01</Token> <Token id="content" type="str" complement="1" depth="1" offset="9">\x03</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="639" remport="*" name="MISC LDAP PCT Client_Hello overflow attempt" sid="10064"> <Token id="content" type="str" depth="1" offset="2">\x01</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">16</Token> <Token id="byte_test" type="int" format="big" offset="10" oper="greater" size="2">20</Token> <Token id="content" type="str" depth="1" offset="11">\x8F</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="2">32768</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8000" remport="*" name="MISC HP Web JetAdmin remote file upload attempt" sid="10188"> <Token id="content" type="str" nocase="1">/plugins/hpjwja/script/devices_update_printer_fw_upload.hts</Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0" nocase="1">Multipart</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8000" remport="*" name="MISC HP Web JetAdmin setinfo access" sid="10192"> <Token id="content" type="str" nocase="1">/plugins/hpjdwm/script/test/setinfo.hts</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8000" remport="*" name="MISC HP Web JetAdmin file write attempt" sid="10196"> <Token id="content" type="str" nocase="1">/plugins/framework/script/tree.xms</Token> <Token id="content" type="str" nocase="1">WriteToFile</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="873" remport="*" name="MISC rsync backup-dir directory traversal attempt" sid="10244"> <Token id="content" type="str">--backup-dir</Token> <Token id="pcre" type="str">=/--backup-dir\s+\x2e\x2e\x2f/</Token> </Rule> </RuleList> <RuleList name="web-misc.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC PCCS mysql database admin tool access" sid="2036"> <Token id="content" type="str" depth="36" nocase="1">pccsmysqladm/incs/dbconnect.inc</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC carbo.dll access" sid="4004"> <Token id="content" type="str" uricont="1">/carbo.dll</Token> <Token id="content" type="str" nocase="1">icatcommand=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise DOS" sid="4188"> <Token id="content" type="str" depth="9">REVLOG / </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise directory listing attempt" sid="4192"> <Token id="content" type="str" depth="6">INDEX </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC iPlanet GETPROPERTIES attempt" sid="4200"> <Token id="content" type="str" depth="13">GETPROPERTIES</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC weblogic/tomcat .jsp view source attempt" sid="4216"> <Token id="content" type="str" nocase="1" uricont="1">.jsp</Token> <Token id="pcre" type="str">!/^\w+\s+[^\n\s\?]*\.jsp/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat view source attempt" sid="4224"> <Token id="content" type="str" uricont="1">%252ejsp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ftp attempt" sid="4228"> <Token id="content" type="str" nocase="1">ftp.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_enumdsn attempt" sid="4232"> <Token id="content" type="str" nocase="1">xp_enumdsn</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_filelist attempt" sid="4236"> <Token id="content" type="str" nocase="1">xp_filelist</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_availablemedia attempt" sid="4240"> <Token id="content" type="str" nocase="1">xp_availablemedia</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_cmdshell attempt" sid="4244"> <Token id="content" type="str" nocase="1">xp_cmdshell</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC nc.exe attempt" sid="4248"> <Token id="content" type="str" nocase="1">nc.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC wsh attempt" sid="4256"> <Token id="content" type="str" nocase="1">wsh.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC rcmd attempt" sid="4260"> <Token id="content" type="str" nocase="1">rcmd.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC telnet attempt" sid="4264"> <Token id="content" type="str" nocase="1">telnet.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC net attempt" sid="4268"> <Token id="content" type="str" nocase="1">net.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC tftp attempt" sid="4272"> <Token id="content" type="str" nocase="1">tftp.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_regread attempt" sid="4276"> <Token id="content" type="str" nocase="1">xp_regread</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC WebDAV search access" sid="4280"> <Token id="content" type="str" depth="8" nocase="1">SEARCH </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .htpasswd access" sid="4284"> <Token id="content" type="str" nocase="1">.htpasswd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Lotus Domino directory traversal" sid="4288"> <Token id="content" type="str" uricont="1">.nsf/</Token> <Token id="content" type="str" nocase="1" uricont="1">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC queryhit.htm access" sid="4308"> <Token id="content" type="str" nocase="1" uricont="1">/samples/search/queryhit.htm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC counter.exe access" sid="4312"> <Token id="content" type="str" nocase="1" uricont="1">/counter.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC WebDAV propfind access" sid="4316"> <Token id="content" type="str" nocase="1"><a:propfind</Token> <Token id="content" type="str" nocase="1">xmlns:a=\"DAV\"></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC unify eWave ServletExec upload" sid="4320"> <Token id="content" type="str" nocase="1" uricont="1">/servlet/com.unify.servletexec.UploadServlet</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Servers suite DOS" sid="4324"> <Token id="content" type="str" nocase="1" uricont="1">/dsgw/bin/search?context=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC amazon 1-click cookie theft" sid="4328"> <Token id="content" type="str" nocase="1">ref%3Cscript%20language%3D%22Javascript</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC unify eWave ServletExec DOS" sid="4332"> <Token id="content" type="str" uricont="1">/servlet/ServletExec</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Allaire JRUN DOS attempt" sid="4336"> <Token id="content" type="str" nocase="1" uricont="1">servlet/.......</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC whisker tab splice attack" sid="4348"> <Token id="dsize" type="int" rel="less">5</Token> <Token id="content" type="str">\t</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ICQ Webfront HTTP DOS" sid="4364"> <Token id="content" type="str" uricont="1">??????????</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Talentsoft Web+ Source Code view access" sid="4380"> <Token id="content" type="str" uricont="1">/webplus.exe?script=test.wml</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Talentsoft Web+ internal IP Address access" sid="4384"> <Token id="content" type="str" uricont="1">/webplus.exe?about</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SmartWin CyberOffice Shopping Cart access" sid="4392"> <Token id="content" type="str" uricont="1">_private/shopping_cart.mdb</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cybercop scan" sid="4396"> <Token id="content" type="str" nocase="1" uricont="1">/cybercop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC L3retriever HTTP Probe" sid="4400"> <Token id="content" type="str">User-Agent: Java1.2.1\r\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Webtrends HTTP probe" sid="4404"> <Token id="content" type="str">User-Agent: Webtrends Security Analyzer\r\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Nessus 404 probe" sid="4408"> <Token id="content" type="str" depth="32" uricont="1">/nessus_is_probing_you_</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape admin passwd" sid="4412"> <Token id="content" type="str" nocase="1" uricont="1">/admin-serv/config/admpw</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC whisker space splice attack" sid="4416"> <Token id="dsize" type="int">1</Token> <Token id="content" type="str"> </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC BigBrother access" sid="4420"> <Token id="content" type="str" nocase="1" uricont="1">/bb-hostsvc.sh?HOSTSVC</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ftp.pl access" sid="4428"> <Token id="content" type="str" nocase="1" uricont="1">/ftp.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat server snoop access" sid="4432"> <Token id="content" type="str" uricont="1">/jsp/snp/</Token> <Token id="content" type="str" uricont="1">.snp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ROXEN directory list attempt" sid="4436"> <Token id="content" type="str" uricont="1">/%00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC apache source.asp file access" sid="4440"> <Token id="content" type="str" nocase="1" uricont="1">/site/eg/source.asp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat server exploit access" sid="4444"> <Token id="content" type="str" nocase="1" uricont="1">/contextAdmin/contextAdmin.html</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC http directory traversal" sid="4448"> <Token id="content" type="str">..\\</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC http directory traversal" sid="4452"> <Token id="content" type="str">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ICQ webserver DOS" sid="4460"> <Token id="content" type="str" nocase="1" uricont="1">.html/......</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Lotus DelDoc attempt" sid="4464"> <Token id="content" type="str" nocase="1" uricont="1">?DeleteDocument</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Lotus EditDoc attempt" sid="4468"> <Token id="content" type="str" nocase="1" uricont="1">?EditDocument</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ls%20-l" sid="4472"> <Token id="content" type="str" nocase="1">ls%20-l</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mlog.phtml access" sid="4476"> <Token id="content" type="str" nocase="1" uricont="1">/mlog.phtml</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mylog.phtml access" sid="4480"> <Token id="content" type="str" nocase="1" uricont="1">/mylog.phtml</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /etc/passwd" sid="4488"> <Token id="content" type="str" nocase="1">/etc/passwd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ?PageServices access" sid="4492"> <Token id="content" type="str" nocase="1" uricont="1">?PageServices</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Ecommerce check.txt access" sid="4496"> <Token id="content" type="str" nocase="1" uricont="1">/config/check.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC webcart access" sid="4500"> <Token id="content" type="str" nocase="1" uricont="1">/webcart/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC AuthChangeUrl access" sid="4504"> <Token id="content" type="str" nocase="1" uricont="1">_AuthChangeUrl?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC convert.bas access" sid="4508"> <Token id="content" type="str" nocase="1" uricont="1">/scripts/convert.bas</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cpshost.dll access" sid="4512"> <Token id="content" type="str" nocase="1" uricont="1">/scripts/cpshost.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .htaccess access" sid="4516"> <Token id="content" type="str" nocase="1">.htaccess</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .wwwacl access" sid="4520"> <Token id="content" type="str" nocase="1" uricont="1">.wwwacl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .wwwacl access" sid="4524"> <Token id="content" type="str" nocase="1" uricont="1">.www_acl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="457" remport="*" name="WEB-MISC Netscape Unixware overflow" sid="4528"> <Token id="content" type="str">\xEB_\x9A\xFF\xFF\xFF\xFF\a\xFF\xC3^1\xC0\x89F\x9D</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cd.." sid="4544"> <Token id="content" type="str" nocase="1">cd..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC whisker HEAD/./" sid="4556"> <Token id="content" type="str">HEAD/./</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC guestbook.pl access" sid="4560"> <Token id="content" type="str" nocase="1" uricont="1">/guestbook.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC handler access" sid="4564"> <Token id="content" type="str" nocase="1" uricont="1">/handler</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /.... access" sid="4568"> <Token id="content" type="str">/....</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ///cgi-bin access" sid="4572"> <Token id="content" type="str" nocase="1" uricont="1">///cgi-bin</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /cgi-bin/// access" sid="4576"> <Token id="content" type="str" nocase="1" uricont="1">/cgi-bin///</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /~root access" sid="4580"> <Token id="content" type="str" nocase="1" uricont="1">/~root</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Ecommerce import.txt access" sid="4584"> <Token id="content" type="str" nocase="1" uricont="1">/config/import.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cat%20 access" sid="4588"> <Token id="content" type="str" nocase="1">cat%20</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Ecommerce import.txt access" sid="4592"> <Token id="content" type="str" nocase="1" uricont="1">/orders/import.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino catalog.nsf access" sid="4600"> <Token id="content" type="str" nocase="1" uricont="1">/catalog.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino domcfg.nsf access" sid="4604"> <Token id="content" type="str" nocase="1" uricont="1">/domcfg.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino domlog.nsf access" sid="4608"> <Token id="content" type="str" nocase="1" uricont="1">/domlog.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino log.nsf access" sid="4612"> <Token id="content" type="str" nocase="1" uricont="1">/log.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino names.nsf access" sid="4616"> <Token id="content" type="str" nocase="1" uricont="1">/names.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Ecommerce checks.txt access" sid="4620"> <Token id="content" type="str" nocase="1" uricont="1">/orders/checks.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC apache DOS attempt" sid="4624"> <Token id="content" type="str">////////</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape PublishingXpert access" sid="4628"> <Token id="content" type="str" nocase="1" uricont="1">/PSUser/PSCOErrPage.htm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC windmail.exe access" sid="4632"> <Token id="content" type="str" nocase="1" uricont="1">/windmail.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC webplus access" sid="4636"> <Token id="content" type="str" nocase="1" uricont="1">/webplus?script</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape dir index wp" sid="4640"> <Token id="content" type="str" nocase="1" uricont="1">?wp-</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cart 32 AdminPwd access" sid="4648"> <Token id="content" type="str" nocase="1" uricont="1">/c32web.exe/ChangeAdminPassword</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC shopping cart access" sid="4656"> <Token id="content" type="str" nocase="1" uricont="1">/quikstore.cfg</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Novell Groupwise gwweb.exe access" sid="4660"> <Token id="content" type="str" nocase="1">/GWWEB.EXE</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ws_ftp.ini access" sid="4664"> <Token id="content" type="str" nocase="1" uricont="1">/ws_ftp.ini</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC rpm_query access" sid="4668"> <Token id="content" type="str" nocase="1" uricont="1">/rpm_query</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mall log order access" sid="4672"> <Token id="content" type="str" nocase="1" uricont="1">/mall_log_files/order.log</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC architext_query.pl access" sid="4692"> <Token id="content" type="str" nocase="1" uricont="1">/ews/architext_query.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC wwwboard.pl access" sid="4700"> <Token id="content" type="str" nocase="1" uricont="1">/wwwboard.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC order.log access" sid="4704"> <Token id="content" type="str" nocase="1" uricont="1">/admin_files/order.log</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4708"> <Token id="content" type="str" nocase="1" uricont="1">?wp-verify-link</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC get32.exe access" sid="4720"> <Token id="content" type="str" nocase="1" uricont="1">/get32.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Annex Terminal DOS attempt" sid="4724"> <Token id="content" type="str" uricont="1">/ping?query=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cgitest.exe attempt" sid="4728"> <Token id="content" type="str" nocase="1" uricont="1">/cgitest.exe\r\nuser</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4732"> <Token id="content" type="str" nocase="1" uricont="1">?wp-cs-dump</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4736"> <Token id="content" type="str" nocase="1" uricont="1">?wp-ver-info</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4744"> <Token id="content" type="str" nocase="1" uricont="1">?wp-ver-diff</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SalesLogix Eviewer web command attempt" sid="4748"> <Token id="content" type="str" nocase="1" uricont="1">/slxweb.dll/admin?command=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4752"> <Token id="content" type="str" nocase="1" uricont="1">?wp-start-ver</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4756"> <Token id="content" type="str" nocase="1" uricont="1">?wp-stop-ver</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4760"> <Token id="content" type="str" nocase="1" uricont="1">?wp-uncheckout</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4764"> <Token id="content" type="str" nocase="1" uricont="1">?wp-html-rend</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Trend Micro OfficeScan access" sid="4768"> <Token id="content" type="str" nocase="1" uricont="1">/officescan/cgi/jdkRqNotify.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC oracle web arbitrary command execution attempt" sid="4772"> <Token id="content" type="str" nocase="1" uricont="1">/ows-bin/</Token> <Token id="content" type="str" uricont="1">?&</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Netscape Enterprise Server directory view" sid="4792"> <Token id="content" type="str" nocase="1" uricont="1">?wp-usr-prop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2301" remport="*" name="WEB-MISC Compaq Insight directory traversal" sid="4796"> <Token id="content" type="str">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC search.vts access" sid="4808"> <Token id="content" type="str" uricont="1">/search.vts</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC htgrep access" sid="4828"> <Token id="content" type="str" uricont="1">/htgrep</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .nsconfig access" sid="4836"> <Token id="content" type="str" uricont="1">/.nsconfig</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Admin_files access" sid="4848"> <Token id="content" type="str" nocase="1" uricont="1">/admin_files</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC backup access" sid="4852"> <Token id="content" type="str" nocase="1" uricont="1">/backup</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC intranet access" sid="4856"> <Token id="content" type="str" nocase="1" uricont="1">/intranet/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC filemail access" sid="4864"> <Token id="content" type="str" nocase="1" uricont="1">/filemail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC plusmail access" sid="4868"> <Token id="content" type="str" nocase="1" uricont="1">/plusmail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC adminlogin access" sid="4872"> <Token id="content" type="str" nocase="1" uricont="1">/adminlogin</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ultraboard access" sid="4880"> <Token id="content" type="str" nocase="1" uricont="1">/ultraboard</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC musicat empower access" sid="4884"> <Token id="content" type="str" nocase="1" uricont="1">/empower</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ROADS search.pl attempt" sid="4896"> <Token id="content" type="str" uricont="1">/ROADS/cgi-bin/search.pl</Token> <Token id="content" type="str" nocase="1">form=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC VirusWall FtpSave access" sid="4920"> <Token id="content" type="str" nocase="1" uricont="1">/FtpSave.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC VirusWall catinfo access" sid="4924"> <Token id="content" type="str" nocase="1" uricont="1">/catinfo</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1812" remport="*" name="WEB-MISC VirusWall catinfo access" sid="4928"> <Token id="content" type="str" nocase="1">/catinfo</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC VirusWall FtpSaveCSP access" sid="4936"> <Token id="content" type="str" nocase="1" uricont="1">/FtpSaveCSP.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC VirusWall FtpSaveCVP access" sid="4940"> <Token id="content" type="str" nocase="1" uricont="1">/FtpSaveCVP.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SWEditServlet directory traversal attempt" sid="4964"> <Token id="content" type="str" uricont="1">/SWEditServlet</Token> <Token id="content" type="str">template=../../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Cisco IOS HTTP configuration attempt" sid="5000"> <Token id="content" type="str" uricont="1">/level/</Token> <Token id="content" type="str" uricont="1">/exec/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC HP OpenView Manager DOS" sid="5032"> <Token id="content" type="str" nocase="1" uricont="1">/OvCgi/OpenView5.exe?Context=Snmp&Action=Snmp&Host=&Oid=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SWEditServlet access" sid="5036"> <Token id="content" type="str" uricont="1">/SWEditServlet</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC long basic authorization string" sid="5040"> <Token id="content" type="str" nocase="1">Authorization: Basic </Token> <Token id="content" type="str" complement="1" within="512">\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC sml3com access" sid="5164"> <Token id="content" type="str" uricont="1">/graphics/sml3com</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC console.exe access" sid="5208"> <Token id="content" type="str" nocase="1" uricont="1">/cgi-bin/console.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cs.exe access" sid="5212"> <Token id="content" type="str" nocase="1" uricont="1">/cgi-bin/cs.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC sadmind worm access" sid="5500"> <Token id="content" type="str" depth="15">GET x HTTP/1.0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC jrun directory browse attempt" sid="5504"> <Token id="content" type="str" uricont="1">/?.jsp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Trend Micro OfficeScan attempt" sid="5524"> <Token id="content" type="str" nocase="1" uricont="1">/officescan/cgi/jdkRqNotify.exe?</Token> <Token id="content" type="str" nocase="1" uricont="1">domain=</Token> <Token id="content" type="str" nocase="1" uricont="1">event=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mod-plsql administration access" sid="5540"> <Token id="content" type="str" uricont="1">/admin_/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Phorecast remote code execution attempt" sid="5564"> <Token id="content" type="str">includedir=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC viewcode access" sid="5612"> <Token id="content" type="str" uricont="1">/viewcode</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC showcode access" sid="5616"> <Token id="content" type="str" uricont="1">/showcode</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .history access" sid="5732"> <Token id="content" type="str" uricont="1">/.history</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .bash_history access" sid="5736"> <Token id="content" type="str" uricont="1">/.bash_history</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /~nobody access" sid="5956"> <Token id="content" type="str" uricont="1">/~nobody</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC RBS ISP /newuser directory traversal attempt" sid="5968"> <Token id="content" type="str" uricont="1">/newuser?Image=../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC RBS ISP /newuser access" sid="5972"> <Token id="content" type="str" uricont="1">/newuser</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cross site scripting attempt" sid="5988"> <Token id="content" type="str" nocase="1"><SCRIPT></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8181" remport="*" name="WEB-MISC PIX firewall manager directory traversal attempt" sid="5992"> <Token id="content" type="str">/../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8888" remport="*" name="WEB-MISC SiteScope Service access" sid="5996"> <Token id="content" type="str">/SiteScope/cgi/go.exe/SiteScope</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ExAir access" sid="6000"> <Token id="content" type="str" uricont="1">/exair/search/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8000" remport="*" name="WEB-MISC nstelemetry.adp access" sid="6072"> <Token id="content" type="str">/nstelemetry.adp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC apache ?M=D directory list attempt" sid="6076"> <Token id="content" type="str" uricont="1">/?M=D</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC server-info access" sid="6080"> <Token id="content" type="str" uricont="1">/server-info</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC server-status access" sid="6084"> <Token id="content" type="str" uricont="1">/server-status</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ans.pl attempt" sid="6088"> <Token id="content" type="str" uricont="1">/ans.pl?p=../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ans.pl access" sid="6092"> <Token id="content" type="str" uricont="1">/ans.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC AxisStorpoint CD attempt" sid="6096"> <Token id="content" type="str" uricont="1">/cd/../config/html/cnf_gi.htm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Axis Storpoint CD access" sid="6100"> <Token id="content" type="str" uricont="1">/config/html/cnf_gi.htm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC basilix sendmail.inc access" sid="6104"> <Token id="content" type="str" uricont="1">/inc/sendmail.inc</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC basilix mysql.class access" sid="6108"> <Token id="content" type="str" uricont="1">/class/mysql.class</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC BBoard access" sid="6112"> <Token id="content" type="str" uricont="1">/servlet/sunexamples.BBoardServlet</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Cisco Catalyst command execution attempt" sid="6176"> <Token id="content" type="str" nocase="1" uricont="1">/exec/show/config/cr</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /CVS/Entries access" sid="6204"> <Token id="content" type="str" uricont="1">/CVS/Entries</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cvsweb version access" sid="6208"> <Token id="content" type="str" uricont="1">/cvsweb/version</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8080" remport="*" name="WEB-MISC Delegate whois overflow attempt" sid="6232"> <Token id="content" type="str" nocase="1">whois://</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /doc/packages access" sid="6236"> <Token id="content" type="str" nocase="1" uricont="1">/doc/packages</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /doc/ access" sid="6240"> <Token id="content" type="str" nocase="1" uricont="1">/doc/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC login.htm attempt" sid="6252"> <Token id="content" type="str" nocase="1" uricont="1">/login.htm?password=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC login.htm access" sid="6256"> <Token id="content" type="str" nocase="1" uricont="1">/login.htm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino mab.nsf access" sid="6300"> <Token id="content" type="str" nocase="1" uricont="1">/mab.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino cersvr.nsf access" sid="6304"> <Token id="content" type="str" nocase="1" uricont="1">/cersvr.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino setup.nsf access" sid="6308"> <Token id="content" type="str" nocase="1" uricont="1">/setup.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino statrep.nsf access" sid="6312"> <Token id="content" type="str" nocase="1" uricont="1">/statrep.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino webadmin.nsf access" sid="6316"> <Token id="content" type="str" nocase="1" uricont="1">/webadmin.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino events4.nsf access" sid="6320"> <Token id="content" type="str" nocase="1" uricont="1">/events4.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino ntsync4.nsf access" sid="6324"> <Token id="content" type="str" nocase="1" uricont="1">/ntsync4.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino collect4.nsf access" sid="6328"> <Token id="content" type="str" nocase="1" uricont="1">/collect4.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino mailw46.nsf access" sid="6332"> <Token id="content" type="str" nocase="1" uricont="1">/mailw46.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino bookmark.nsf access" sid="6336"> <Token id="content" type="str" nocase="1" uricont="1">/bookmark.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino agentrunner.nsf access" sid="6340"> <Token id="content" type="str" nocase="1" uricont="1">/agentrunner.nsf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Domino mail.box access" sid="6344"> <Token id="content" type="str" nocase="1" uricont="1">/mail.box</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cgitest.exe access" sid="6348"> <Token id="content" type="str" nocase="1" uricont="1">/cgitest.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SalesLogix Eviewer access" sid="6352"> <Token id="content" type="str" nocase="1" uricont="1">/slxweb.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC musicat empower attempt" sid="6356"> <Token id="content" type="str" nocase="1" uricont="1">/empower?DB=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC DELETE attempt" sid="6412"> <Token id="content" type="str" depth="7" nocase="1">DELETE </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="4080" remport="*" name="WEB-MISC iChat directory traversal attempt" sid="6416"> <Token id="content" type="str">/../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ftp.pl attempt" sid="6448"> <Token id="content" type="str" nocase="1" uricont="1">/ftp.pl?dir=../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC handler attempt" sid="6452"> <Token id="content" type="str" uricont="1">/handler</Token> <Token id="content" type="str" nocase="1" uricont="1">|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Novell Groupwise gwweb.exe attempt" sid="6456"> <Token id="content" type="str" nocase="1" uricont="1">/GWWEB.EXE?HELP=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC htgrep attempt" sid="6460"> <Token id="content" type="str" uricont="1">/htgrep</Token> <Token id="content" type="str">hdr=/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /~ftp access" sid="6648"> <Token id="content" type="str" nocase="1" uricont="1">/~ftp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC *%0a.pl access" sid="6652"> <Token id="content" type="str" nocase="1" uricont="1">/*\n.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mkplog.exe access" sid="6656"> <Token id="content" type="str" nocase="1" uricont="1">/mkplog.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cross site scripting HTML Image tag set to javascript attempt" sid="6668"> <Token id="content" type="str" nocase="1">img src=javascript</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /home/ftp access" sid="6680"> <Token id="content" type="str" nocase="1" uricont="1">/home/ftp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /home/www access" sid="6684"> <Token id="content" type="str" nocase="1" uricont="1">/home/www</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC global.inc access" sid="6952"> <Token id="content" type="str" nocase="1" uricont="1">/global.inc</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SecureSite authentication bypass attempt" sid="6976"> <Token id="content" type="str" nocase="1">secure_site, ok</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC b2 arbitrary command execution attempt" sid="7028"> <Token id="content" type="str" uricont="1">/b2/b2-include/</Token> <Token id="content" type="str">b2inc</Token> <Token id="content" type="str">http://</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC b2 access" sid="7032"> <Token id="content" type="str" uricont="1">/b2/b2-include/</Token> <Token id="content" type="str">b2inc</Token> <Token id="content" type="str">http://</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC search.dll directory listing attempt" sid="7064"> <Token id="content" type="str" uricont="1">/search.dll</Token> <Token id="content" type="str">query=%00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC search.dll access" sid="7068"> <Token id="content" type="str" uricont="1">/search.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .DS_Store access" sid="7076"> <Token id="content" type="str" uricont="1">/.DS_Store</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC .FBCIndex access" sid="7080"> <Token id="content" type="str" uricont="1">/.FBCIndex</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Chunked-Encoding transfer attempt" sid="7228"> <Token id="content" type="str" nocase="1">Transfer-Encoding:</Token> <Token id="content" type="str" nocase="1">chunked</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC apache chunked encoding memory corruption exploit attempt" sid="7232"> <Token id="content" type="str">\xC0PR\x89\xE1PQRP\xB8;\0\0\0\xCD\x80</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Apache Chunked-Encoding worm attempt" sid="7236"> <Token id="content" type="str" nocase="1">CCCCCCC: AAAAAAAAAAAAAAAAAAA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC CISCO VoIP DOS ATTEMPT" sid="7256"> <Token id="content" type="str" uricont="1">/StreamingStatistics</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC IBM Net.Commerce orderdspc.d2w access" sid="7280"> <Token id="content" type="str" uricont="1">/ncommerce3/ExecMacro/orderdspc.d2w</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC WEB-INF access" sid="7304"> <Token id="content" type="str" nocase="1" uricont="1">/WEB-INF</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat servlet mapping cross site scripting attempt" sid="7308"> <Token id="content" type="str" uricont="1">/servlet/</Token> <Token id="content" type="str" uricont="1">/org.apache.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC iPlanet Search directory traversal attempt" sid="7312"> <Token id="content" type="str" uricont="1">/search</Token> <Token id="content" type="str">NS-query-pat=</Token> <Token id="content" type="str">../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat TroubleShooter servlet access" sid="7316"> <Token id="content" type="str" uricont="1">/examples/servlet/TroubleShooter</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat SnoopServlet servlet access" sid="7320"> <Token id="content" type="str" uricont="1">/examples/servlet/SnoopServlet</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC jigsaw dos attempt" sid="7324"> <Token id="content" type="str" uricont="1">/servlet/con</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Macromedia SiteSpring cross site scripting attempt" sid="7340"> <Token id="content" type="str" nocase="1" uricont="1">/error/500error.jsp</Token> <Token id="content" type="str" uricont="1">et=</Token> <Token id="content" type="str" nocase="1" uricont="1"><script</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mailman cross site scripting attempt" sid="7356"> <Token id="content" type="str" nocase="1" uricont="1">/mailman/</Token> <Token id="content" type="str" uricont="1">?</Token> <Token id="content" type="str" uricont="1">info=</Token> <Token id="content" type="str" nocase="1" uricont="1"><script</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC webalizer access" sid="7388"> <Token id="content" type="str" nocase="1" uricont="1">/webalizer/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC webcart-lite access" sid="7392"> <Token id="content" type="str" nocase="1" uricont="1">/webcart-lite/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC webfind.exe access" sid="7396"> <Token id="content" type="str" nocase="1" uricont="1">/webfind.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC active.log access" sid="7404"> <Token id="content" type="str" nocase="1" uricont="1">/active.log</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC robots.txt access" sid="7408"> <Token id="content" type="str" nocase="1" uricont="1">/robots.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC robot.txt access" sid="7428"> <Token id="content" type="str" nocase="1" uricont="1">/robot.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8181" remport="*" name="WEB-MISC CISCO PIX Firewall Manager directory traversal attempt" sid="7432"> <Token id="content" type="str">/pixfir~1/how_to_login.html</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="9090" remport="*" name="WEB-MISC Sun JavaServer default password login attempt" sid="7436"> <Token id="content" type="str">/servlet/admin</Token> <Token id="content" type="str">ae9f86d6beaa3f9ecb9a5b7e072a4138</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8080" remport="*" name="WEB-MISC Linksys router default password login attempt" sid="7440"> <Token id="content" type="str">Authorization: Basic OmFkbWlu</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8080" remport="*" name="WEB-MISC Linksys router default username and password login attempt" sid="7444"> <Token id="content" type="str" nocase="1">Authorization: </Token> <Token id="content" type="str" nocase="1"> Basic </Token> <Token id="content" type="str">YWRtaW46YWRtaW4</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Oracle XSQLConfig.xml access" sid="7484"> <Token id="content" type="str" uricont="1">/XSQLConfig.xml</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Oracle Dynamic Monitoring Services dms access" sid="7488"> <Token id="content" type="str" uricont="1">/dms0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC globals.jsa access" sid="7492"> <Token id="content" type="str" uricont="1">/globals.jsa</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Oracle Java Process Manager access" sid="7496"> <Token id="content" type="str" uricont="1">/oprocmgr-status</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC oracle web application server access" sid="7520"> <Token id="content" type="str" nocase="1" uricont="1">/ows-bin/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC bad HTTP/1.1 request, Potentially worm attack" sid="7524"> <Token id="content" type="str" depth="18">GET / HTTP/1.1\r\n\r\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /Carello/add.exe access" sid="7772"> <Token id="content" type="str" nocase="1" uricont="1">/Carello/add.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /ecscripts/ecware.exe access" sid="7776"> <Token id="content" type="str" nocase="1" uricont="1">/ecscripts/ecware.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8888" remport="*" name="WEB-MISC answerbook2 admin attempt" sid="7784"> <Token id="content" type="str">/cgi-bin/admin/admin</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8888" remport="*" name="WEB-MISC answerbook2 arbitrary command execution attempt" sid="7788"> <Token id="content" type="str">/ab2/</Token> <Token id="content" type="str" distance="1">;</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ion-p access" sid="7876"> <Token id="content" type="str" nocase="1" uricont="1">/ion-p</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_regwrite attempt" sid="7908"> <Token id="content" type="str" nocase="1">xp_regwrite</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC xp_regdeletekey attempt" sid="7912"> <Token id="content" type="str" nocase="1">xp_regdeletekey</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC perl post attempt" sid="7916"> <Token id="content" type="str" depth="4">POST</Token> <Token id="content" type="str" uricont="1">/perl/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC TRACE attempt" sid="8224"> <Token id="content" type="str" depth="5">TRACE</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC helpout.exe access" sid="8228"> <Token id="content" type="str" uricont="1">/helpout.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC MsmMask.exe attempt" sid="8232"> <Token id="content" type="str" uricont="1">/MsmMask.exe</Token> <Token id="content" type="str">mask=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC MsmMask.exe access" sid="8236"> <Token id="content" type="str" uricont="1">/MsmMask.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC DB4Web access" sid="8240"> <Token id="content" type="str" uricont="1">/DB4Web/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Tomcat null byte directory listing attempt" sid="8244"> <Token id="content" type="str" uricont="1">\0.jsp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC iPlanet .perf access" sid="8248"> <Token id="content" type="str" uricont="1">/.perf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Demarc SQL injection attempt" sid="8252"> <Token id="content" type="str" uricont="1">/dm/demarc</Token> <Token id="content" type="str">s_key=</Token> <Token id="content" type="str" distance="0">'</Token> <Token id="content" type="str" distance="1">'</Token> <Token id="content" type="str" distance="0">'</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Lotus Notes .csp script source download attempt" sid="8256"> <Token id="content" type="str" uricont="1">.csp</Token> <Token id="content" type="str">.csp</Token> <Token id="content" type="str" within="1">.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Lotus Notes .pl script source download attempt" sid="8264"> <Token id="content" type="str" uricont="1">.pl</Token> <Token id="content" type="str">.pl</Token> <Token id="content" type="str" within="1">.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Lotus Notes .exe script source download attempt" sid="8268"> <Token id="content" type="str" uricont="1">.exe</Token> <Token id="content" type="str">.exe</Token> <Token id="content" type="str" within="1">.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC BitKeeper arbitrary command attempt" sid="8272"> <Token id="content" type="str" uricont="1">/diffs/</Token> <Token id="content" type="str">'</Token> <Token id="content" type="str" distance="0">;</Token> <Token id="content" type="str" distance="1">'</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC chip.ini access" sid="8276"> <Token id="content" type="str" uricont="1">/chip.ini</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC post32.exe arbitrary command attempt" sid="8280"> <Token id="content" type="str" uricont="1">/post32.exe|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC post32.exe access" sid="8284"> <Token id="content" type="str" uricont="1">/post32.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC lyris.pl access" sid="8288"> <Token id="content" type="str" uricont="1">/lyris.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC globals.pl access" sid="8292"> <Token id="content" type="str" uricont="1">/globals.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC philboard.mdb access" sid="8540"> <Token id="content" type="str" uricont="1">/philboard.mdb</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC philboard_admin.asp authentication bypass attempt" sid="8544"> <Token id="content" type="str" uricont="1">/philboard_admin.asp</Token> <Token id="content" type="str" nocase="1">Cookie</Token> <Token id="content" type="str" distance="0">philboard_admin=True</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC philboard_admin.asp access" sid="8548"> <Token id="content" type="str" uricont="1">/philboard_admin.asp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC logicworks.ini access" sid="8552"> <Token id="content" type="str" uricont="1">/logicworks.ini</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC /*.shtml access" sid="8556"> <Token id="content" type="str" uricont="1">/*.shtml</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC mod_gzip_status access" sid="8624"> <Token id="content" type="str" uricont="1">/mod_gzip_status</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC NetGear router default password login attempt admin/password" sid="8920"> <Token id="content" type="str" nocase="1">Authorization: </Token> <Token id="content" type="str" nocase="1"> Basic </Token> <Token id="content" type="str">YWRtaW46cGFzc3dvcmQ</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC register.dll access" sid="8924"> <Token id="content" type="str" nocase="1" uricont="1">/register.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ContentFilter.dll access" sid="8928"> <Token id="content" type="str" nocase="1" uricont="1">/ContentFilter.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SFNofitication.dll access" sid="8932"> <Token id="content" type="str" nocase="1" uricont="1">/SFNofitication.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC TOP10.dll access" sid="8936"> <Token id="content" type="str" nocase="1" uricont="1">/TOP10.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC SpamExcp.dll access" sid="8940"> <Token id="content" type="str" nocase="1" uricont="1">/SpamExcp.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC spamrule.dll access" sid="8944"> <Token id="content" type="str" nocase="1" uricont="1">/spamrule.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cgiWebupdate.exe access" sid="8948"> <Token id="content" type="str" nocase="1" uricont="1">/cgiWebupdate.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC WebLogic ConsoleHelp view source attempt" sid="8952"> <Token id="content" type="str" nocase="1" uricont="1">/ConsoleHelp/</Token> <Token id="content" type="str" nocase="1" uricont="1">.jsp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC redirect.exe access" sid="8956"> <Token id="content" type="str" nocase="1" uricont="1">/redirect.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC changepw.exe access" sid="8960"> <Token id="content" type="str" nocase="1" uricont="1">/changepw.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC cwmail.exe access" sid="8964"> <Token id="content" type="str" nocase="1" uricont="1">/cwmail.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ddicgi.exe access" sid="8968"> <Token id="content" type="str" nocase="1" uricont="1">/ddicgi.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ndcgi.exe access" sid="8972"> <Token id="content" type="str" nocase="1" uricont="1">/ndcgi.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC VsSetCookie.exe access" sid="8976"> <Token id="content" type="str" nocase="1" uricont="1">/VsSetCookie.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Webnews.exe access" sid="8980"> <Token id="content" type="str" nocase="1" uricont="1">/Webnews.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC webadmin.dll access" sid="8984"> <Token id="content" type="str" nocase="1" uricont="1">/webadmin.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC oracle portal demo access" sid="9104"> <Token id="content" type="str" nocase="1" uricont="1">/pls/portal/PORTAL_DEMO</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC PeopleSoft PeopleBooks psdoccgi access" sid="9108"> <Token id="content" type="str" nocase="1" uricont="1">/psdoccgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC negative Content-Length attempt" sid="9112"> <Token id="content" type="str" nocase="1">Content-Length:</Token> <Token id="pcre" type="str">=/^Content-Length\x3a\s+-\d+/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC bsml.pl access" sid="9308"> <Token id="content" type="str" nocase="1" uricont="1">/bsml.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ISAPISkeleton.dll access" sid="9476"> <Token id="content" type="str" nocase="1" uricont="1">/ISAPISkeleton.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC BugPort config.conf file access" sid="9480"> <Token id="content" type="str" nocase="1" uricont="1">/config.conf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Sample_showcode.html access" sid="9484"> <Token id="content" type="str" nocase="1" uricont="1">/Sample_showcode.html</Token> <Token id="content" type="str">fname</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC schema overflow attempt" sid="9524"> <Token id="content" type="str" uricont="1">://</Token> <Token id="pcre" type="str">=/^[^\/]{14,}?\x3a\/\//U</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="2301" remport="*" name="WEB-MISC Compaq web-based management agent denial of service attempt" sid="9576"> <Token id="content" type="str" depth="75"><!</Token> <Token id="content" type="str" within="50">></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC InteractiveQuery.jsp access" sid="9580"> <Token id="content" type="str" nocase="1" uricont="1">/InteractiveQuery.jsp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC edittag.pl access" sid="9600"> <Token id="content" type="str" nocase="1" uricont="1">/edittag.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC util.pl access" sid="9628"> <Token id="content" type="str" nocase="1" uricont="1">/util.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC Invision Power Board search.pl access" sid="9632"> <Token id="content" type="str" uricont="1">/search.pl</Token> <Token id="content" type="str" nocase="1">st=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="554" remport="*" name="WEB-MISC Real Server DESCRIBE buffer overflow attempt" sid="9644"> <Token id="content" type="str" nocase="1">DESCRIBE</Token> <Token id="content" type="str" distance="1">../</Token> <Token id="pcre" type="str">=/^DESCRIBE\s[^\n]{300}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC NetObserve authentication bypass attempt" sid="9764"> <Token id="content" type="str" nocase="1">login=0</Token> <Token id="content" type="str" nocase="1">Cookie:</Token> <Token id="pcre" type="str">=/^Cookie\x3a[^\n]*?login=0/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="8000-8001" remport="*" name="WEB-MISC Quicktime User-Agent buffer overflow attempt" sid="9768"> <Token id="content" type="str" nocase="1">User-Agent:</Token> <Token id="pcre" type="str">=/^User-Agent\x3a[^\n]{244,255}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC ServletManager access" sid="9788"> <Token id="content" type="str" nocase="1" uricont="1">/servlet/ServletManager</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC setinfo.hts access" sid="9792"> <Token id="content" type="str" nocase="1" uricont="1">/setinfo.hts</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-MISC source.jsp access" sid="9936"> <Token id="content" type="str" nocase="1" uricont="1">/source.jsp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="443" remport="*" name="WEB-MISC SSLv3 invalid data version attempt" sid="10020"> <Token id="content" type="str" depth="2">\x16\x03</Token> <Token id="content" type="str" depth="1" offset="5">\x01</Token> <Token id="content" type="str" complement="1" depth="1" offset="9">\x03</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="443" remport="*" name="WEB-MISC PCT Client_Hello overflow attempt" sid="10060"> <Token id="content" type="str" depth="1" offset="2">\x01</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">16</Token> <Token id="byte_test" type="int" format="big" offset="10" oper="greater" size="2">20</Token> <Token id="content" type="str" depth="1" offset="11">\x8F</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="2">32768</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="81" remport="*" name="WEB-MISC McAfee ePO file upload attempt" sid="10248"> <Token id="content" type="str" nocase="1">/spipe/repl_file</Token> <Token id="content" type="str" nocase="1">Command=BEGIN</Token> </Rule> </RuleList> <RuleList name="policy.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="9000-9002" remport="*" name="POLICY HP JetDirect LCD modification attempt" sid="2040" enabled="0"> <Token id="content" type="str">@PJL RDYMSG DISPLAY =</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'STOR 1MB' possible warez site" sid="2172" enabled="0"> <Token id="content" type="str" nocase="1">STOR</Token> <Token id="content" type="str" distance="1" nocase="1">1MB</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'RETR 1MB' possible warez site" sid="2176" enabled="0"> <Token id="content" type="str" nocase="1">RETR</Token> <Token id="content" type="str" distance="1" nocase="1">1MB</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'CWD / ' possible warez site" sid="2180" enabled="0"> <Token id="content" type="str" nocase="1">CWD</Token> <Token id="content" type="str" distance="1">/ </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'CWD ' possible warez site" sid="2184" enabled="0"> <Token id="content" type="str" depth="5" nocase="1">CWD </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'MKD ' possible warez site" sid="2188" enabled="0"> <Token id="content" type="str" depth="5" nocase="1">MKD </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'MKD .' possible warez site" sid="2192" enabled="0"> <Token id="content" type="str" depth="5" nocase="1">MKD .</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP anonymous login attempt" sid="2212" enabled="0"> <Token id="content" type="str" nocase="1">USER</Token> <Token id="pcre" type="str">=/^USER\s+(anonymous|ftp)/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP 'MKD / ' possible warez site" sid="2216" enabled="0"> <Token id="content" type="str" nocase="1">MKD</Token> <Token id="content" type="str" distance="1">/ </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="23" remport="*" name="POLICY WinGate telnet server response" sid="2220" enabled="0"> <Token id="content" type="str">WinGate></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="POLICY VNC server response" sid="2240" enabled="0"> <Token id="content" type="str" depth="5">RFB 0</Token> <Token id="content" type="str" depth="2" offset="7">.0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="5632" remport="*" name="POLICY PCAnywhere server response" sid="2264" enabled="0"> <Token id="content" type="str" depth="2">ST</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="POLICY SMTP relaying denied" sid="2268" enabled="0"> <Token id="content" type="str" depth="70">550 5.7.1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="9100" remport="*" name="POLICY HP JetDirect LCD modification attempt" sid="2272" enabled="0"> <Token id="content" type="str">@PJL RDYMSG DISPLAY =</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="address of POLICY poll.gotomypc.com access" name="POLICY poll.gotomypc.com access" sid="5716" enabled="0"/> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="21" remport="*" name="POLICY FTP file_id.diz access possible warez site" sid="5780" enabled="0"> <Token id="content" type="str" nocase="1">RETR</Token> <Token id="content" type="str" distance="1" nocase="1">file_id.diz</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500" remport="*" name="POLICY IPSec PGPNet connection attempt" sid="7084" enabled="0"> <Token id="content" type="str">\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\x10\x02\0\0\0\0\0\0\0\0\x88\r\0\0\\\0\0\0\x01\0\0\0\x01\0\0\0P\x01\x01\0\x02\x03\0\0$\x01\x01\0\0\x80\x01\0\x06\x80\x02\0\x02\x80\x03\0\x03\x80\x04\0\x05\x80\v\0\x01\0\f\0\x04\0\x01Q\x80\0\0\0$\x02\x01\0\0\x80\x01\0\x05\x80\x02\0\x01\x80\x03\0\x03\x80\x04\0\x02\x80\v\0\x01\0\f\0\x04\0\x01Q\x80\0\0\0\x10</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="5800-5802" remport="*" name="POLICY vncviewer Java applet download attempt" sid="7384" enabled="0"> <Token id="content" type="str">/vncviewer.jar</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="49" remport="*" name="POLICY xtacacs login attempt" sid="8160" enabled="0"> <Token id="content" type="str" depth="2">\x80\x01</Token> <Token id="content" type="str" distance="4">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="49" remport="*" name="POLICY xtacacs accepted login response" sid="8168" enabled="0"> <Token id="content" type="str" depth="2">\x80\x02</Token> <Token id="content" type="str" distance="4">\x01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1723" remport="*" name="POLICY PPTP Start Control Request attempt" sid="8176" enabled="0"> <Token id="content" type="str" depth="2" offset="2">\0\x01</Token> <Token id="content" type="str" depth="2" offset="8">\0\x01</Token> </Rule> </RuleList> <RuleList name="tftp.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="69" remport="*" name="TFTP Put" sid="2072"> <Token id="content" type="str" depth="2">\0\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="69" remport="*" name="TFTP parent directory" sid="2076"> <Token id="content" type="str" offset="2">..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="69" remport="*" name="TFTP root directory" sid="2080"> <Token id="content" type="str" depth="3">\0\x01/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="69" name="TFTP GET Admin.dll" sid="5156"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">admin.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="69" remport="*" name="TFTP GET Admin.dll" sid="5157"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">admin.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="69" name="TFTP GET nc.exe" sid="5764"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">nc.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="69" remport="*" name="TFTP GET nc.exe" sid="5765"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">nc.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="69" name="TFTP GET shadow" sid="5768"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">shadow</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="69" remport="*" name="TFTP GET shadow" sid="5769"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">shadow</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="69" name="TFTP GET passwd" sid="5772"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">passwd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="69" remport="*" name="TFTP GET passwd" sid="5773"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" nocase="1" offset="2">passwd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="69" remport="*" name="TFTP Get" sid="5776"> <Token id="content" type="str" depth="2">\0\x01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="69" name="TFTP GET filename overflow attempt" sid="7764"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" complement="1" within="100">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="69" remport="*" name="TFTP GET filename overflow attempt" sid="7765"> <Token id="content" type="str" depth="2">\0\x01</Token> <Token id="content" type="str" complement="1" within="100">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="all" remaddr_id="all" locport="*" remport="69" name="TFTP PUT filename overflow attempt" sid="9348"> <Token id="content" type="str" depth="2">\0\x02</Token> <Token id="content" type="str" complement="1" within="100">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="all" remaddr_id="all" locport="69" remport="*" name="TFTP PUT filename overflow attempt" sid="9349"> <Token id="content" type="str" depth="2">\0\x02</Token> <Token id="content" type="str" complement="1" within="100">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="69" remport="*" name="TFTP NULL command attempt" sid="9356"> <Token id="content" type="str" depth="2">\0\0</Token> </Rule> </RuleList> <RuleList name="bad-traffic.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="BAD-TRAFFIC ip reserved bit set" sid="2092"> <Token id="ip_frg" type="str">R</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="0" remport="*" name="BAD-TRAFFIC tcp port 0 traffic" sid="2096"/> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="0" remport="*" name="BAD-TRAFFIC tcp port 0 traffic" sid="2097"/> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="0" remport="*" name="BAD-TRAFFIC udp port 0 traffic" sid="2100"/> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="0" remport="*" name="BAD-TRAFFIC udp port 0 traffic" sid="2101"/> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="BAD-TRAFFIC data in TCP SYN packet" sid="2104"> <Token id="dsize" type="int" rel="greater">6</Token> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC same SRC/DST" sid="2108"> <Token id="sameadr" type="bool">1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC same SRC/DST" sid="2109"> <Token id="sameadr" type="bool">1</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="loopback" name="BAD-TRAFFIC loopback traffic" sid="2112"/> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="loopback" remaddr_id="all" name="BAD-TRAFFIC loopback traffic" sid="2113"/> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="loopback" name="BAD-TRAFFIC loopback traffic" sid="2114"/> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="loopback" remaddr_id="all" name="BAD-TRAFFIC loopback traffic" sid="2115"/> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="BAD-TRAFFIC 0 ttl" sid="5284"> <Token id="ip_ttl" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="multicast" locport="*" remport="*" name="BAD-TRAFFIC syn to multicast address" sid="5724"> <Token id="tcp_flg" type="str">S+</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="multicast" remaddr_id="all" locport="*" remport="*" name="BAD-TRAFFIC syn to multicast address" sid="5725"> <Token id="tcp_flg" type="str">S+</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="BAD-TRAFFIC Unassigned/Reserved IP protocol" sid="6508"> <Token id="ip_ptc" type="int" rel="greater">134</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 53 SWIPE" sid="8744"> <Token id="ip_ptc" type="int">53</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 53 SWIPE" sid="8745"> <Token id="ip_ptc" type="int">53</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 55 IP Mobility" sid="8748"> <Token id="ip_ptc" type="int">55</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 55 IP Mobility" sid="8749"> <Token id="ip_ptc" type="int">55</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 77 Sun ND" sid="8752"> <Token id="ip_ptc" type="int">77</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 77 Sun ND" sid="8753"> <Token id="ip_ptc" type="int">77</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 103 PIM" sid="8756"> <Token id="ip_ptc" type="int">103</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="all" remaddr_id="all" name="BAD-TRAFFIC IP Proto 103 PIM" sid="8757"> <Token id="ip_ptc" type="int">103</Token> </Rule> </RuleList> <RuleList name="netbios.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS DOS RFPoison" sid="2116"> <Token id="content" type="str">\\\0\\\0*\0S\0M\0B\0S\0E\0R\0V\0E\0R\0\0\0\0\0\x01\0\0\0\x01\0\0\0\0\0\0\0\xFF\xFF\xFF\xFF\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS NT NULL session" sid="2120"> <Token id="content" type="str">\0\0\0\0W\0i\0n\0d\0o\0w\0s\0 \0N\0T\0 \01\03\08\01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB ADMIN$ share access" sid="2128"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">ADMIN$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB C$ share access" sid="2132"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">C$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB CD.." sid="2136"> <Token id="content" type="str">\\../\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB CD..." sid="2140"> <Token id="content" type="str">\\...\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB D$ share access" sid="2144"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">D$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB IPC$ share access" sid="2148"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">IPC$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB IPC$ share unicode access" sid="2152"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">I\0P\0C\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS RFParalyze Attempt" sid="4956"> <Token id="content" type="str">BEAVIS</Token> <Token id="content" type="str">yep yep</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS nimda .eml" sid="5172"> <Token id="content" type="str">\0.\0E\0M\0L</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS nimda .nws" sid="5176"> <Token id="content" type="str">\0.\0N\0W\0S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS nimda RICHED20.DLL" sid="5180"> <Token id="content" type="str">R\0I\0C\0H\0E\0D\02\00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt" sid="8404"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMB%</Token> <Token id="content" type="str" depth="4" offset="43">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB trans2open buffer overflow attempt" sid="8412"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMB2</Token> <Token id="content" type="str" depth="2" offset="60">\0\x14</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="2">256</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB winreg access" sid="8696"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMB\xA2</Token> <Token id="content" type="str" nocase="1" offset="85">\\winreg\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB winreg unicode access" sid="8700"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMB\xA2</Token> <Token id="content" type="str" nocase="1" offset="85">\\\0w\0i\0n\0r\0e\0g\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB startup folder access" sid="8704"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMB2</Token> <Token id="content" type="str" distance="0" nocase="1">Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB startup folder unicode access" sid="8708"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMB2</Token> <Token id="content" type="str" distance="0" nocase="1">\\\0S\0t\0a\0r\0t\0 \0M\0e\0n\0u\0\\\0P\0r\0o\0g\0r\0a\0m\0s\0\\\0S\0t\0a\0r\0t\0u\0p</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="135" remport="*" name="NETBIOS DCERPC invalid bind attempt" sid="8760"> <Token id="content" type="str" within="1">\x05</Token> <Token id="content" type="str" distance="1" within="1">\v</Token> <Token id="byte_test" type="int" format="big" oper="and" relative="1" size="1">1</Token> <Token id="content" type="str" distance="21" within="1">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB DCERPC invalid bind attempt" sid="8764"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="5" nocase="1" within="12">\\\0P\0I\0P\0E\0\\\0</Token> <Token id="content" type="str" distance="2" within="1">\x05</Token> <Token id="content" type="str" distance="1" within="1">\v</Token> <Token id="byte_test" type="int" format="big" oper="and" relative="1" size="1">1</Token> <Token id="content" type="str" distance="21" within="1">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB DCERPC ISystemActivator bind attempt" sid="8772"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="5" nocase="1" within="12">\\\0P\0I\0P\0E\0\\\0</Token> <Token id="content" type="str" distance="0" within="1">\x05</Token> <Token id="content" type="str" distance="1" within="1">\v</Token> <Token id="byte_test" type="int" format="big" oper="and" relative="1" size="1">1</Token> <Token id="content" type="str" distance="29" within="16">\xA0\x01\0\0\0\0\0\0\xC0\0\0\0\0\0\0F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="135" remport="*" name="NETBIOS DCERPC Remote Activation bind attempt" sid="9004"> <Token id="content" type="str" within="1">\x05</Token> <Token id="content" type="str" distance="1" within="1">\v</Token> <Token id="byte_test" type="int" format="big" oper="and" relative="1" size="1">1</Token> <Token id="content" type="str" distance="29" within="16">\xB8J\x9FM\x1C}\xCF\x11\x86\x1E\0 \xAFn|W</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS DCERPC Remote Activation bind attempt" sid="9008"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="5" nocase="1" within="12">\\\0P\0I\0P\0E\0\\\0</Token> <Token id="content" type="str" within="1">\x05</Token> <Token id="content" type="str" distance="1" within="1">\v</Token> <Token id="byte_test" type="int" format="big" oper="and" relative="1" size="1">1</Token> <Token id="content" type="str" distance="29" within="16">\xB8J\x9FM\x1C}\xCF\x11\x86\x1E\0 \xAFn|W</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="135" remport="*" name="NETBIOS DCERPC Messenger Service buffer overflow attempt" sid="9028"> <Token id="content" type="str" depth="2">\x04\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" relative="1" size="1">15</Token> <Token id="byte_jump" type="int" align="1" offset="86" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" offset="8" relative="1">4</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="4">1024</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt" sid="9032"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="5" nocase="1" within="12">\\\0P\0I\0P\0E\0\\\0</Token> <Token id="content" type="str" within="2">\x04\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" relative="1" size="1">15</Token> <Token id="byte_jump" type="int" align="1" offset="86" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" offset="8" relative="1">4</Token> <Token id="byte_test" type="int" oper="greater" relative="1" size="4">1024</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB DCERPC Workstation Service unicode bind attempt" sid="9232"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="byte_test" type="int" format="big" offset="5" oper="and" relative="1" size="2">1</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="4" within="15">\\\0P\0I\0P\0E\0\\\0\x05\0\v</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str" distance="29" within="16">\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB DCERPC Workstation Service bind attempt" sid="9236"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="byte_test" type="int" format="big" offset="5" oper="xor" relative="1" size="2">1</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="4" within="10">\\PIPE\\\0\x05\0\v</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str" distance="29" within="16">\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt" sid="9240"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="byte_test" type="int" format="big" offset="5" oper="and" relative="1" size="2">1</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="4" within="15">\\\0P\0I\0P\0E\0\\\0\x05\0\v</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str" distance="29" within="16">\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS DCERPC Workstation Service bind attempt" sid="9244"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMB%</Token> <Token id="byte_test" type="int" format="big" offset="5" oper="xor" relative="1" size="2">1</Token> <Token id="content" type="str" distance="56" within="2">&\0</Token> <Token id="content" type="str" distance="4" within="10">\\PIPE\\\0\x05\0\v</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str" distance="29" within="16">\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1024-65535" remport="*" name="NETBIOS DCERPC Workstation Service direct service bind attempt" sid="9260"> <Token id="content" type="str" depth="3">\x05\0\v</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str" distance="29" within="16">\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1024-65535" remport="*" name="NETBIOS DCERPC Workstation Service direct service access attempt" sid="9264"> <Token id="content" type="str" depth="2">\x04\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str" distance="22" within="16">\x98\xD0\xFFk\x12\xA1\x106\x983F\xC3\xF8~4Z</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="135" remport="*" name="NETBIOS DCERPC ISystemActivator path overflow attempt little endian" sid="9404"> <Token id="content" type="str" distance="0" within="1">\x05</Token> <Token id="byte_test" type="int" format="big" offset="3" oper="and" relative="1" size="1">16</Token> <Token id="content" type="str">\\\0\\\0</Token> <Token id="byte_test" type="int" offset="-8" oper="greater" relative="1" size="4">256</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB NTLMSSP invalid mechtype attempt" sid="9528"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="content" type="str" depth="1" offset="63">`</Token> <Token id="content" type="str" distance="1" within="8">\x06\x06+\x06\x01\x05\x05\x02</Token> <Token id="content" type="str" distance="0">\x06\n+\x06\x01\x04\x01\x827\x02\x02\n</Token> <Token id="content" type="str" distance="0">\xA1\x05#\x03\x03\x01\a</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt" sid="9532"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="content" type="str" depth="1" offset="63">`</Token> <Token id="content" type="str" distance="1" within="8">\x06\x06+\x06\x01\x05\x05\x02</Token> <Token id="content" type="str" distance="0">\x06\n+\x06\x01\x04\x01\x827\x02\x02\n</Token> <Token id="content" type="str" distance="0">\xA1\x05#\x03\x03\x01\a</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB NTLMSSP invalid mechlistMIC attempt" sid="9536"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="content" type="str" depth="1" offset="63">`</Token> <Token id="content" type="str" distance="1" within="15">\0\0\0b\x06\x83\0\0\x06+\x06\x01\x05\x05\x02</Token> <Token id="content" type="str" distance="0">\x06\n+\x06\x01\x04\x01\x827\x02\x02\n</Token> <Token id="content" type="str" distance="0">\xA3>0<\xA00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt" sid="9540"> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="content" type="str" depth="1" offset="63">`</Token> <Token id="content" type="str" distance="1" within="15">\0\0\0b\x06\x83\0\0\x06+\x06\x01\x05\x05\x02</Token> <Token id="content" type="str" distance="0">\x06\n+\x06\x01\x04\x01\x827\x02\x02\n</Token> <Token id="content" type="str" distance="0">\xA3>0<\xA00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB Session Setup AndX request username overflow attempt" sid="9604"> <Token id="content" type="str" depth="1">\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="2">322</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="42" within="4">\0\0\0\0</Token> <Token id="byte_test" type="int" offset="8" oper="greater" relative="1" size="2">255</Token> <Token id="content" type="str" complement="1" distance="10" within="255">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS Session Setup AndX request username overflow attempt" sid="9608"> <Token id="content" type="str" depth="1">\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="2">322</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="42" within="4">\0\0\0\0</Token> <Token id="byte_test" type="int" offset="8" oper="greater" relative="1" size="2">255</Token> <Token id="content" type="str" complement="1" distance="10" within="255">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB Session Setup AndX request unicode username overflow attempt" sid="9612"> <Token id="content" type="str" distance="0">\0\0</Token> <Token id="content" type="str" distance="0">\0\0</Token> <Token id="content" type="str" depth="1">\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="2">322</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="and" relative="1" size="1">128</Token> <Token id="byte_test" type="int" offset="54" oper="greater" relative="1" size="2">255</Token> <Token id="content" type="str" distance="56">\0</Token> <Token id="content" type="str" distance="255">\0\0</Token> <Token id="content" type="str" distance="0">\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt" sid="9616"> <Token id="content" type="str" distance="0">\0\0</Token> <Token id="content" type="str" distance="0">\0\0</Token> <Token id="content" type="str" depth="1">\0</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="2">322</Token> <Token id="content" type="str" depth="5" nocase="1" offset="4">\xFFSMBs</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="and" relative="1" size="1">128</Token> <Token id="byte_test" type="int" offset="54" oper="greater" relative="1" size="2">255</Token> <Token id="content" type="str" distance="56">\0</Token> <Token id="content" type="str" distance="255">\0\0</Token> <Token id="content" type="str" distance="0">\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS IPC$ share access" sid="9860"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">IPC$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS IPC$ share unicode access" sid="9864"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">I\0P\0C\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB D$ share unicode access" sid="9868"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">D\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS D$ share access" sid="9872"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">D$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS D$ share unicode access" sid="9876"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">D\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB C$ share unicode access" sid="9880"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">C\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS C$ share access" sid="9884"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">C$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS C$ share unicode access" sid="9888"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">C\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="139" remport="*" name="NETBIOS SMB ADMIN$ share unicode access" sid="9892"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">A\0D\0M\0I\0N\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS ADMIN$ share access" sid="9896"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="less" relative="1" size="1">128</Token> <Token id="content" type="str" distance="32" nocase="1">ADMIN$\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="445" remport="*" name="NETBIOS SMB-DS ADMIN$ share unicode access" sid="9900"> <Token id="content" type="str" depth="1">\0</Token> <Token id="content" type="str" depth="5" offset="4">\xFFSMBu</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" relative="1" size="1">127</Token> <Token id="content" type="str" distance="32" nocase="1">A\0D\0M\0I\0N\0$\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="137" name="NETBIOS NS lookup response name overflow attempt" sid="10252"> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="1">127</Token> <Token id="content" type="str" depth="2" offset="6">\0\x01</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" size="1">32</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="137" remport="137" name="NETBIOS NS lookup short response attempt" sid="10256"> <Token id="dsize" type="int" rel="less">56</Token> <Token id="byte_test" type="int" format="big" offset="2" oper="greater" size="1">127</Token> <Token id="content" type="str" depth="2" offset="6">\0\x01</Token> </Rule> </RuleList> <RuleList name="chat.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN message" sid="2160" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="1">text/plain</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN message" sid="2161" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="1">text/plain</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="CHAT ICQ access" sid="2164" enabled="0"> <Token id="content" type="str">User-Agent:ICQ</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC nick change" sid="2168" enabled="0"> <Token id="content" type="str">NICK </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC message" sid="5852" enabled="0"> <Token id="content" type="str" nocase="1">PRIVMSG </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC message" sid="5853" enabled="0"> <Token id="content" type="str" nocase="1">PRIVMSG </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="aim_servers" locport="*" remport="*" name="CHAT AIM login" sid="6524" enabled="0"> <Token id="content" type="str" depth="2">*\x01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="aim_servers" locport="*" remport="*" name="CHAT AIM send message" sid="6528" enabled="0"> <Token id="content" type="str" depth="2">*\x02</Token> <Token id="content" type="str" depth="4" offset="6">\0\x04\0\x06</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="aim_servers" locport="*" remport="*" name="CHAT AIM receive message" sid="6532" enabled="0"> <Token id="content" type="str" depth="2">*\x02</Token> <Token id="content" type="str" depth="4" offset="6">\0\x04\0\a</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC DCC file transfer request" sid="6556" enabled="0"> <Token id="content" type="str" nocase="1">PRIVMSG </Token> <Token id="content" type="str" nocase="1"> :.DCC SEND</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC DCC chat request" sid="6560" enabled="0"> <Token id="content" type="str" nocase="1">PRIVMSG </Token> <Token id="content" type="str" nocase="1"> :.DCC CHAT chat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC channel join" sid="6916" enabled="0"> <Token id="content" type="str" nocase="1">JOIN : #</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC dns request" sid="7156" enabled="0"> <Token id="content" type="str" nocase="1">USERHOST </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666-7000" name="CHAT IRC dns response" sid="7160" enabled="0"> <Token id="content" type="str">:</Token> <Token id="content" type="str"> 302 </Token> <Token id="content" type="str">=+</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="80" name="CHAT ICQ forced user addition" sid="7328" enabled="0"> <Token id="content" type="str" nocase="1">Content-Type: application/x-icq</Token> <Token id="content" type="str">[ICQ User]</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN file transfer request" sid="7944" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" distance="0" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0" nocase="1">text/x-msmsgsinvite</Token> <Token id="content" type="str">Application-Name:</Token> <Token id="content" type="str" distance="0" nocase="1">File Transfer</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN file transfer request" sid="7945" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" distance="0" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0" nocase="1">text/x-msmsgsinvite</Token> <Token id="content" type="str">Application-Name:</Token> <Token id="content" type="str" distance="0" nocase="1">File Transfer</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN file transfer accept" sid="7952" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0">text/x-msmsgsinvite</Token> <Token id="content" type="str">Invitation-Command:</Token> <Token id="content" type="str" distance="1">ACCEPT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN file transfer accept" sid="7953" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0">text/x-msmsgsinvite</Token> <Token id="content" type="str">Invitation-Command:</Token> <Token id="content" type="str" distance="1">ACCEPT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN file transfer reject" sid="7956" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0">text/x-msmsgsinvite</Token> <Token id="content" type="str">Invitation-Command:</Token> <Token id="content" type="str" distance="0">CANCEL</Token> <Token id="content" type="str" nocase="1">Cancel-Code:</Token> <Token id="content" type="str" distance="0" nocase="1">REJECT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN file transfer reject" sid="7957" enabled="0"> <Token id="content" type="str" depth="4">MSG </Token> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="content" type="str" distance="0">text/x-msmsgsinvite</Token> <Token id="content" type="str">Invitation-Command:</Token> <Token id="content" type="str" distance="0">CANCEL</Token> <Token id="content" type="str" nocase="1">Cancel-Code:</Token> <Token id="content" type="str" distance="0" nocase="1">REJECT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN user search" sid="7960" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">CAL </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1863" name="CHAT MSN login attempt" sid="7964" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">USR </Token> <Token id="content" type="str" distance="1" nocase="1"> TWN </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM successful logon" sid="9800" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0\x01</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM voicechat" sid="9804" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0J</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM ping" sid="9808" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0\x12</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM conference invitation" sid="9812" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0\x18</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM conference logon success" sid="9816" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0\x19</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM conference message" sid="9820" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0\x1D</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="all" locport="*" remport="5050" name="CHAT Yahoo IM file transfer request" sid="9824" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0M</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="all" remaddr_id="all" locport="5050" remport="*" name="CHAT Yahoo IM file transfer request" sid="9825" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0M</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="all" remaddr_id="all" locport="*" remport="5101" name="CHAT Yahoo IM message" sid="9828" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="all" locport="5101" remport="*" name="CHAT Yahoo IM message" sid="9829" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="all" remaddr_id="all" locport="*" remport="5101" name="CHAT Yahoo IM message" sid="9830" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="all" remaddr_id="all" locport="5101" remport="*" name="CHAT Yahoo IM message" sid="9831" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM successful chat join" sid="9832" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0\x98</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5050" name="CHAT Yahoo IM webcam offer invitation" sid="9836" enabled="0"> <Token id="content" type="str" depth="4" nocase="1">YMSG</Token> <Token id="content" type="str" depth="2" offset="10">\0P</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5100" name="CHAT Yahoo IM webcam request" sid="9840" enabled="0"> <Token id="content" type="str" depth="2"><R</Token> <Token id="pcre" type="str">=/^\x3c(REQIMG|RVWCFG)\x3e/ism</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5100" name="CHAT Yahoo IM webcam watch" sid="9844" enabled="0"> <Token id="content" type="str" depth="4">\r\0\x05\0</Token> </Rule> </RuleList> <RuleList name="p2p.rules"> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="8888" name="P2P napster login" sid="2196" enabled="0"> <Token id="content" type="str" depth="3" offset="1">\0\x02\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="8888" name="P2P napster new user login" sid="2200" enabled="0"> <Token id="content" type="str" depth="3" offset="1">\0\x06\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8888" remport="*" name="P2P napster download attempt" sid="2204" enabled="0"> <Token id="content" type="str" depth="3" offset="1">\0\xCB\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="8888" name="P2P napster upload request" sid="2208" enabled="0"> <Token id="content" type="str" depth="3" offset="1">\0_\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="P2P Outbound GNUTella client request" sid="2224" enabled="0"> <Token id="content" type="str" depth="40">GNUTELLA CONNECT</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="P2P GNUTella client request" sid="2228" enabled="0"> <Token id="content" type="str" depth="40">GNUTELLA OK</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6699" name="P2P Napster Client Data" sid="2244" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6699" name="P2P Napster Client Data" sid="2245" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="7777" name="P2P Napster Client Data" sid="2248" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="7777" name="P2P Napster Client Data" sid="2249" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666" name="P2P Napster Client Data" sid="2252" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6666" name="P2P Napster Client Data" sid="2253" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5555" name="P2P Napster Client Data" sid="2256" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="5555" name="P2P Napster Client Data" sid="2257" enabled="0"> <Token id="content" type="str" nocase="1">.mp3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="8875" name="P2P Napster Server Login" sid="2260" enabled="0"> <Token id="content" type="str">anon@napster.com</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="8875" name="P2P Napster Server Login" sid="2261" enabled="0"> <Token id="content" type="str">anon@napster.com</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1214" remport="*" name="P2P Fastrack kazaa/morpheus GET request" sid="5532" enabled="0"> <Token id="content" type="str" depth="4">GET </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="!80" name="P2P GNUTella GET" sid="5728" enabled="0"> <Token id="content" type="str" depth="4">GET </Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="P2P Fastrack kazaa/morpheus traffic" sid="6796" enabled="0"> <Token id="content" type="str" depth="3">GET</Token> <Token id="content" type="str">UserAgent: KazaaClient</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="P2P BitTorrent announce request" sid="8720" enabled="0"> <Token id="content" type="str" depth="4">GET</Token> <Token id="content" type="str" distance="1">/announce</Token> <Token id="content" type="str" offset="4">info_hash=</Token> <Token id="content" type="str" offset="4">event=started</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="6881-6889" name="P2P BitTorrent transfer" sid="8724" enabled="0"> <Token id="content" type="str" depth="20">\x13BitTorrent protocol</Token> </Rule> </RuleList> <RuleList name="rpc.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC snmpXdmi overflow attempt TCP" sid="2276"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x87\x99</Token> <Token id="content" type="str" distance="4" within="4">\0\0\x01\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="20" oper="greater" relative="1" size="4">1024</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP export request" sid="2296"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x05</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap admind request UDP" sid="2300"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xF7</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap amountd request UDP" sid="2304"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x03</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap bootparam request UDP" sid="2308"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xBA</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap cmsd request UDP" sid="2312"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xE4</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap mountd request UDP" sid="2316"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA5</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap nisd request UDP" sid="2320"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\xCC</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap pcnfsd request UDP" sid="2324"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x02I\xF1</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rexd request UDP" sid="2328"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xB1</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rstatd request UDP" sid="2332"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA1</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rusers request UDP" sid="2336"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA2</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap sadmind request UDP" sid="2340"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x88</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap selection_svc request UDP" sid="2344"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xAF</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap status request UDP" sid="2348"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xB8</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap ttdbserv request UDP" sid="2352"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xF3</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap yppasswd request UDP" sid="2356"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA9</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap ypserv request UDP" sid="2360"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA4</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap ypupdated request TCP" sid="2364"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xBC</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap snmpXdmi request TCP" sid="2372"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x99</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap espd request TCP" sid="2380"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x05\xF7u</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap listing TCP 111" sid="2392"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x04</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="32771" remport="*" name="RPC portmap listing TCP 32771" sid="2396"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x04</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC rusers query UDP" sid="2448"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA2</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap admind request TCP" sid="5048"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xF7</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap amountd request TCP" sid="5052"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x03</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap bootparam request TCP" sid="5056"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xBA</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap cmsd request TCP" sid="5060"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xE4</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap mountd request TCP" sid="5064"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA5</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap nisd request TCP" sid="5068"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\xCC</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap pcnfsd request TCP" sid="5072"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x02I\xF1</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rexd request TCP" sid="5076"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xB1</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rstatd request TCP" sid="5080"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA1</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rusers request TCP" sid="5084"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA2</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap sadmind request TCP" sid="5088"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x88</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap selection_svc request TCP" sid="5092"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xAF</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap ttdbserv request TCP" sid="5096"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xF3</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap yppasswd request TCP" sid="5100"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA9</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap ypserv request TCP" sid="5104"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA4</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap ypupdated request UDP" sid="5108"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xBC</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap snmpXdmi request UDP" sid="5116"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x99</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap listing UDP 111" sid="5120"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x04</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="32771" remport="*" name="RPC portmap listing UDP 32771" sid="5124"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x04</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rwalld request UDP" sid="6928"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA8</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rwalld request TCP" sid="6932"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA8</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap cachefsd request UDP" sid="6984"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x8B</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap cachefsd request TCP" sid="6988"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87\x8B</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1024-65535" remport="*" name="RPC status GHBN format string attack" sid="7560"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xB8</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="256">%x %x</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1024-65535" remport="*" name="RPC status GHBN format string attack" sid="7564"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xB8</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="256">%x %x</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500-65535" remport="*" name="RPC AMD UDP amqproc_mount plog overflow attempt" sid="7620"> <Token id="content" type="str" depth="4" offset="12">\0\x04\x93\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\a</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">512</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="500-65535" remport="*" name="RPC AMD TCP amqproc_mount plog overflow attempt" sid="7624"> <Token id="content" type="str" depth="4" offset="16">\0\x04\x93\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\a</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">512</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC CMSD UDP CMSD_CREATE buffer overflow attempt" sid="7628"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xE4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x15</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">1024</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC CMSD TCP CMSD_CREATE buffer overflow attempt" sid="7632"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xE4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x15</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">1024</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC CMSD TCP CMSD_INSERT buffer overflow attempt" sid="7636"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xE4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x06</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="28" oper="greater" relative="1" size="4">1000</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC CMSD udp CMSD_INSERT buffer overflow attempt" sid="7640"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xE4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x06</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="28" oper="greater" relative="1" size="4">1000</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" sid="7644"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x87\x88</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="124" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="20" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="4" oper="greater" relative="1" size="4">512</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt" sid="7648"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x87\x88</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="124" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="20" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="4" oper="greater" relative="1" size="4">512</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC STATD UDP stat mon_name format string exploit attempt" sid="7652"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xB8</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">100</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC STATD TCP stat mon_name format string exploit attempt" sid="7656"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xB8</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">100</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC STATD UDP monitor mon_name format string exploit attempt" sid="7660"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xB8</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">100</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC STATD TCP monitor mon_name format string exploit attempt" sid="7664"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xB8</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">100</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap proxy attempt TCP" sid="7688"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x05</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap proxy attempt UDP" sid="7692"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x05</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP export request" sid="7696"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x05</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP exportall request" sid="7700"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x06</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP exportall request" sid="7704"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x06</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap SET attempt TCP 111" sid="7796"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap SET attempt UDP 111" sid="7800"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP mount request" sid="7804"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP mount request" sid="7808"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="500-65535" remport="*" name="RPC AMD TCP pid request" sid="7812"> <Token id="content" type="str" depth="4" offset="16">\0\x04\x93\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\t</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500-65535" remport="*" name="RPC AMD UDP pid request" sid="7816"> <Token id="content" type="str" depth="4" offset="12">\0\x04\x93\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\t</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="500-65535" remport="*" name="RPC AMD TCP version request" sid="7820"> <Token id="content" type="str" depth="4" offset="16">\0\x04\x93\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\b</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="500-65535" remport="*" name="RPC AMD UDP version request" sid="7824"> <Token id="content" type="str" depth="4" offset="12">\0\x04\x93\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\b</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC sadmind UDP PING" sid="7828"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x87\x88</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\0</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC sadmind TCP PING" sid="7832"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x87\x88</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\0</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap NFS request UDP" sid="7836"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA3</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap NFS request TCP" sid="7840"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xA3</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap RQUOTA request UDP" sid="7844"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xAB</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap RQUOTA request TCP" sid="7848"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xAB</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC RQUOTA getquota overflow attempt UDP" sid="7852"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xAB</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">128</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC tooltalk UDP overflow attempt" sid="7856"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\a</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">128</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC tooltalk TCP overflow attempt" sid="7860"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xF3</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\a</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">128</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap kcms_server request UDP" sid="8020"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87}</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap kcms_server request TCP" sid="8024"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x87}</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="32771-34000" remport="*" name="RPC kcms_server directory traversal attempt" sid="8028"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x87}</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="20" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" distance="0">/../</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap UNSET attempt TCP 111" sid="8056"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap UNSET attempt UDP 111" sid="8060"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap status request TCP" sid="8064"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xB8</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap espd request UDP" sid="8068"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x05\xF7u</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP dump request" sid="8072"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP dump request" sid="8076"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x02</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP unmount request" sid="8080"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP unmount request" sid="8084"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP unmountall request" sid="8088"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x04</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP unmountall request" sid="8092"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA5</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x04</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC RQUOTA getquota overflow attempt TCP" sid="8096"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xAB</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">128</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd username overflow attempt UDP" sid="8100"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">64</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd username overflow attempt TCP" sid="8104"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">64</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd old password overflow attempt UDP" sid="8108"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">64</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd old password overflow attempt TCP" sid="8112"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">64</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd new password overflow attempt UDP" sid="8116"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">64</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd new password overflow attempt TCP" sid="8120"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">64</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd user update UDP" sid="8124"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC yppasswd user update TCP" sid="8128"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA9</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC ypserv maplist request UDP" sid="8132"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\v</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC ypserv maplist request TCP" sid="8136"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\v</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap network-status-monitor request UDP" sid="8140"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x03\rp</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap network-status-monitor request TCP" sid="8144"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x03\rp</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC network-status-monitor mon-callback request UDP" sid="8148"> <Token id="content" type="str" depth="4" offset="12">\0\x03\rp</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC network-status-monitor mon-callback request TCP" sid="8152"> <Token id="content" type="str" depth="4" offset="16">\0\x03\rp</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC snmpXdmi overflow attempt UDP" sid="8180"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x87\x99</Token> <Token id="content" type="str" distance="4" within="4">\0\0\x01\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="20" oper="greater" relative="1" size="4">1024</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap nlockmgr request UDP" sid="8316"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xB5</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap nlockmgr request TCP" sid="8320"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x01\x86\xB5</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rpc.xfsmd request UDP" sid="8324"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x05\xF7h</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap rpc.xfsmd request TCP" sid="8328"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xA0</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x03</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" within="4">\0\x05\xF7h</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC rpc.xfsmd xfs_export attempt UDP" sid="8332"> <Token id="content" type="str" depth="4" offset="12">\0\x05\xF7h</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\r</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC rpc.xfsmd xfs_export attempt TCP" sid="8336"> <Token id="content" type="str" depth="4" offset="16">\0\x05\xF7h</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\r</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC ypupdated arbitrary command attempt UDP" sid="8352"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xBC</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" distance="4">|</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC ypupdated arbitrary command attempt TCP" sid="8356"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xBC</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="content" type="str" distance="4">|</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap proxy integer overflow attempt UDP" sid="8368"> <Token id="content" type="str" depth="5" offset="12">\0\x01\x86\xA0\0</Token> <Token id="content" type="str" distance="3" within="4">\0\0\0\x05</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="4">2048</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="111" remport="*" name="RPC portmap proxy integer overflow attempt TCP" sid="8372"> <Token id="content" type="str" depth="5" offset="16">\0\x01\x86\xA0\0</Token> <Token id="content" type="str" distance="3" within="4">\0\0\0\x05</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="12" oper="greater" relative="1" size="4">2048</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC CMSD UDP CMSD_CREATE array buffer overflow attempt" sid="8376"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x86\xE4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x15</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="20" oper="greater" relative="1" size="4">1024</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC CMSD TCP CMSD_CREATE array buffer overflow attempt" sid="8380"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x86\xE4</Token> <Token id="content" type="str" distance="4" within="4">\0\0\0\x15</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" offset="20" oper="greater" relative="1" size="4">1024</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd TCP mount path overflow attempt" sid="8736"> <Token id="content" type="str" depth="5" offset="16">\0\x01\x86\xA5\0</Token> <Token id="content" type="str" distance="3" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">1023</Token> <Token id="content" type="str" depth="4" offset="8">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC mountd UDP mount path overflow attempt" sid="8740"> <Token id="content" type="str" depth="5" offset="12">\0\x01\x86\xA5\0</Token> <Token id="content" type="str" distance="3" within="4">\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="4" relative="1">4</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="4">1023</Token> <Token id="content" type="str" depth="4" offset="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC sadmind query with root credentials attempt TCP" sid="9020"> <Token id="content" type="str" depth="4" offset="16">\0\x01\x87\x88</Token> <Token id="content" type="str" distance="4" within="8">\0\0\0\x01\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="8" relative="1">4</Token> <Token id="content" type="str" within="4">\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="RPC sadmind query with root credentials attempt UDP" sid="9024"> <Token id="content" type="str" depth="4" offset="12">\0\x01\x87\x88</Token> <Token id="content" type="str" distance="4" within="8">\0\0\0\x01\0\0\0\x01</Token> <Token id="byte_jump" type="int" align="1" format="big" offset="8" relative="1">4</Token> <Token id="content" type="str" within="4">\0\0\0\0</Token> </Rule> </RuleList> <RuleList name="rservices.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rlogin LinuxNIS" sid="2404"> <Token id="content" type="str">::::::::\0::::::::</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rlogin bin" sid="2408"> <Token id="content" type="str">bin\0bin\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rlogin echo++" sid="2412"> <Token id="content" type="str">echo \" + + \"</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rsh froot" sid="2416"> <Token id="content" type="str">-froot\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rlogin login failure" sid="2420"> <Token id="content" type="str">login incorrect</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rlogin root" sid="2424"> <Token id="content" type="str">root\0root\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="514" remport="*" name="RSERVICES rsh bin" sid="2428"> <Token id="content" type="str">bin\0bin\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="514" remport="*" name="RSERVICES rsh echo + +" sid="2432"> <Token id="content" type="str">echo \"+ +\"</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="514" remport="*" name="RSERVICES rsh froot" sid="2436"> <Token id="content" type="str">-froot\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="514" remport="*" name="RSERVICES rsh root" sid="2440"> <Token id="content" type="str">root\0root\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="513" remport="*" name="RSERVICES rlogin login failure" sid="2444"> <Token id="content" type="str">\x01rlogind: Permission denied.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="512" remport="*" name="RSERVICES rexec username overflow attempt" sid="8452"> <Token id="content" type="str" offset="9">\0</Token> <Token id="content" type="str" distance="0">\0</Token> <Token id="content" type="str" distance="0">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="512" remport="*" name="RSERVICES rexec password overflow attempt" sid="8456"> <Token id="content" type="str">\0</Token> <Token id="content" type="str" distance="33">\0</Token> <Token id="content" type="str" distance="0">\0</Token> </Rule> </RuleList> <RuleList name="scan.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="10101" name="SCAN myscan" sid="2452"> <Token id="tcp_ack" type="int">0</Token> <Token id="tcp_flg" type="str">S</Token> <Token id="ip_ttl" type="int" rel="greater">220</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="1080" remport="*" name="SCAN SOCKS Proxy attempt" sid="2460"> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="113" remport="*" name="SCAN ident version request" sid="2464"> <Token id="content" type="str" depth="16">VERSION\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="3128" remport="*" name="SCAN Squid Proxy attempt" sid="2472"> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="80" remport="*" name="SCAN cybercop os probe" sid="2476"> <Token id="dsize" type="int">0</Token> <Token id="tcp_flg" type="str">FS12</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="8080" remport="*" name="SCAN Proxy Port 8080 attempt" sid="2480"> <Token id="tcp_flg" type="str" mask="12">S</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN FIN" sid="2484"> <Token id="tcp_flg" type="str" mask="12">F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN ipEye SYN scan" sid="2488"> <Token id="tcp_flg" type="str">S</Token> <Token id="tcp_seq" type="int">1958810375</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN NULL" sid="2492"> <Token id="tcp_ack" type="int">0</Token> <Token id="tcp_flg" type="str">F</Token> <Token id="tcp_seq" type="int">0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN SYN FIN" sid="2496"> <Token id="tcp_flg" type="str" mask="12">FS</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN XMAS" sid="2500"> <Token id="tcp_flg" type="str" mask="12">FSRPAU</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN cybercop os PA12 attempt" sid="2504"> <Token id="tcp_flg" type="str">PA12</Token> <Token id="content" type="str" depth="16">AAAAAAAAAAAAAAAA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN cybercop os SFU12 probe" sid="2508"> <Token id="tcp_ack" type="int">0</Token> <Token id="tcp_flg" type="str">FSU12</Token> <Token id="content" type="str" depth="16">AAAAAAAAAAAAAAAA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN synscan portscan" sid="2520"> <Token id="tcp_flg" type="str">FS</Token> <Token id="ip_id" type="int">39426</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="10080-10081" remport="*" name="SCAN Amanda client version request" sid="2536"> <Token id="content" type="str" nocase="1">Amanda</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="49" remport="*" name="SCAN XTACACS logout" sid="2540"> <Token id="content" type="str">\x80\a\0\0\a\0\0\x04\0\0\0\0\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="7" remport="*" name="SCAN cybercop udp bomb" sid="2544"> <Token id="content" type="str">cybercop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN Webtrends Scanner UDP Probe" sid="2548"> <Token id="content" type="str">\nhelp\nquite\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="SCAN cybercop os probe" sid="4532"> <Token id="tcp_ack" type="int">0</Token> <Token id="tcp_flg" type="str">FSP</Token> <Token id="content" type="str" depth="16">AAAAAAAAAAAAAAAA</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="*" name="SCAN nmap XMAS" sid="4912"> <Token id="tcp_flg" type="str" mask="12">FPU</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="22" remport="*" name="SCAN SSH Version map attempt" sid="6552"> <Token id="content" type="str" nocase="1">Version_Mapper</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1900" remport="*" name="SCAN UPnP service discover attempt" sid="7668"> <Token id="content" type="str" depth="9">M-SEARCH </Token> <Token id="content" type="str">ssdp:discover</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="icmp" locaddr_id="home_net" remaddr_id="external_net" name="SCAN SolarWinds IP scan attempt" sid="7672"> <Token id="icmp_code" type="int">0</Token> <Token id="icmp_type" type="int">8</Token> <Token id="content" type="str">SolarWinds.Net</Token> </Rule> </RuleList> <RuleList name="smtp.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP ehlo cybercop attempt" sid="2524"> <Token id="content" type="str">ehlo cybercop\nquit\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP expn cybercop attempt" sid="2528"> <Token id="content" type="str">expn cybercop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP RCPT TO overflow" sid="2616"> <Token id="content" type="str" nocase="1">rcpt to:</Token> <Token id="isdataat" type="int" rel="relative">300</Token> <Token id="pcre" type="str">=/^RCPT TO\s[^\n]{300}/ism</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="113" name="SMTP sendmail 8.6.9 exploit" sid="2620"> <Token id="content" type="str">\nD/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP chameleon overflow" sid="2628"> <Token id="content" type="str" nocase="1">HELP</Token> <Token id="isdataat" type="int" rel="relative">500</Token> <Token id="pcre" type="str">=/^HELP\s[^\n]{500}/ism</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP exchange mime DOS" sid="2632"> <Token id="content" type="str">charset = \"\"</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP expn decode" sid="2636"> <Token id="content" type="str" nocase="1">expn</Token> <Token id="content" type="str" nocase="1">decode</Token> <Token id="pcre" type="str">=/^expn\s+decode/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP expn root" sid="2640"> <Token id="content" type="str" nocase="1">expn</Token> <Token id="content" type="str" nocase="1">root</Token> <Token id="pcre" type="str">=/^expn\s+root/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP majordomo ifs" sid="2644"> <Token id="content" type="str">eply-to: a~.`/bin/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 5.5.5 exploit" sid="2648"> <Token id="content" type="str" nocase="1">mail from: \"|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP rcpt to command attempt" sid="2652"> <Token id="content" type="str" nocase="1">rcpt to:</Token> <Token id="pcre" type="str">=/^rcpt\s+to\:\s+[|\x3b]/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP RCPT TO decode attempt" sid="2656"> <Token id="content" type="str">rcpt to:</Token> <Token id="content" type="str" distance="0" nocase="1">decode</Token> <Token id="pcre" type="str">=/^rcpt to\:\s+decode/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 5.6.5 exploit" sid="2660"> <Token id="content" type="str" nocase="1">MAIL FROM: |/usr/ucb/tail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 8.6.10 exploit" sid="2668"> <Token id="content" type="str">Croot\r\nMprog, P=/bin/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 8.6.10 exploit" sid="2672"> <Token id="content" type="str">Croot\t\t\t\t\t\t\tMprog,P=/bin</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 8.6.9 exploit" sid="2676"> <Token id="content" type="str">\nCroot\nMprog</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 8.6.9 exploit" sid="2680"> <Token id="content" type="str">\nC:daemon\nR</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP sendmail 8.6.9c exploit" sid="2684"> <Token id="content" type="str">\nCroot\r\nMprog</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP vrfy decode" sid="2688"> <Token id="content" type="str" nocase="1">vrfy</Token> <Token id="content" type="str" distance="1" nocase="1">decode</Token> <Token id="pcre" type="str">=/^vrfy\s+decode/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP vrfy root" sid="5784"> <Token id="content" type="str" nocase="1">vrfy</Token> <Token id="content" type="str" distance="1" nocase="1">root</Token> <Token id="pcre" type="str">=/^vrfy\s+root/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP expn *@" sid="5800"> <Token id="content" type="str" nocase="1">expn</Token> <Token id="content" type="str">*@</Token> <Token id="pcre" type="str">=/^expn\s+\*@/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP HELO overflow attempt" sid="6196"> <Token id="content" type="str">HELO</Token> <Token id="isdataat" type="int" rel="relative">500</Token> <Token id="pcre" type="str">=/^HELO\s[^\n]{500}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP ETRN overflow attempt" sid="6200"> <Token id="content" type="str">ETRN</Token> <Token id="isdataat" type="int" rel="relative">500</Token> <Token id="pcre" type="str">=/^ETRN\s[^\n]{500}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP From comment overflow attempt" sid="8348"> <Token id="content" type="str">From:</Token> <Token id="content" type="str" distance="0"><><><><><><><><><><><><><><><><><><><><><><></Token> <Token id="content" type="str" distance="1">(</Token> <Token id="content" type="str" distance="1">)</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP Content-Transfer-Encoding overflow attempt" sid="8732"> <Token id="content" type="str">Content-Transfer-Encoding:</Token> <Token id="isdataat" type="int" rel="relative">100</Token> <Token id="content" type="str" complement="1" within="100">\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP XEXCH50 overflow attempt" sid="9012"> <Token id="content" type="str" nocase="1">XEXCH50</Token> <Token id="pcre" type="str">=/^XEXCH50\s+-\d/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP EXPN overflow attempt" sid="9036"> <Token id="content" type="str" nocase="1">EXPN</Token> <Token id="pcre" type="str">=/^EXPN[^\n]{255,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP VRFY overflow attempt" sid="9040"> <Token id="content" type="str" nocase="1">VRFY</Token> <Token id="pcre" type="str">=/^VRFY[^\n]{255,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP SEND FROM sendmail prescan too many addresses overflow" sid="9044"> <Token id="content" type="str" nocase="1">SEND FROM:</Token> <Token id="pcre" type="str">=/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP SEND FROM sendmail prescan too long addresses overflow" sid="9048"> <Token id="content" type="str" nocase="1">SEND FROM:</Token> <Token id="pcre" type="str">=/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP SAML FROM sendmail prescan too many addresses overflow" sid="9052"> <Token id="content" type="str" nocase="1">SAML FROM:</Token> <Token id="pcre" type="str">=/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP SAML FROM sendmail prescan too long addresses overflow" sid="9056"> <Token id="content" type="str" nocase="1">SAML FROM:</Token> <Token id="pcre" type="str">=/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP SOML FROM sendmail prescan too many addresses overflow" sid="9060"> <Token id="content" type="str" nocase="1">SOML FROM:</Token> <Token id="pcre" type="str">=/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP SOML FROM sendmail prescan too long addresses overflow" sid="9064"> <Token id="content" type="str" nocase="1">SOML FROM:</Token> <Token id="pcre" type="str">=/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP MAIL FROM sendmail prescan too many addresses overflow" sid="9068"> <Token id="content" type="str" nocase="1">MAIL FROM:</Token> <Token id="pcre" type="str">=/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP MAIL FROM sendmail prescan too long addresses overflow" sid="9072"> <Token id="content" type="str" nocase="1">MAIL FROM:</Token> <Token id="pcre" type="str">=/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP RCPT TO sendmail prescan too many addresses overflow" sid="9076"> <Token id="content" type="str" nocase="1">RCPT TO:</Token> <Token id="pcre" type="str">=/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP RCPT TO sendmail prescan too long addresses overflow" sid="9080"> <Token id="content" type="str" nocase="1">RCPT TO:</Token> <Token id="pcre" type="str">=/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP AUTH LOGON brute force attempt" sid="9100"> <Token id="content" type="str" nocase="1" offset="54">Authentication unsuccessful</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP WinZip MIME content-type buffer overflow" sid="9948"> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="pcre" type="str">=/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi</Token> <Token id="pcre" type="str">=/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="25" remport="*" name="SMTP WinZip MIME content-disposition buffer overflow" sid="9952"> <Token id="content" type="str" nocase="1">Content-Type:</Token> <Token id="pcre" type="str">=/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi</Token> <Token id="content" type="str" nocase="1">Content-Disposition:</Token> <Token id="pcre" type="str">=/name=\s*[^\r\n\x3b\s\x2c]{300}/smi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="465" remport="*" name="SMTP SSLv3 invalid data version attempt" sid="10016"> <Token id="content" type="str" depth="2">\x16\x03</Token> <Token id="content" type="str" depth="1" offset="5">\x01</Token> <Token id="content" type="str" complement="1" depth="1" offset="9">\x03</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="smtp_servers" remaddr_id="external_net" locport="465" remport="*" name="SMTP Client_Hello overflow attempt" sid="10076"> <Token id="content" type="str" depth="1" offset="2">\x01</Token> <Token id="byte_test" type="int" format="big" offset="6" oper="greater" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">0</Token> <Token id="byte_test" type="int" complement="1" format="big" offset="8" size="2">16</Token> <Token id="byte_test" type="int" format="big" offset="10" oper="greater" size="2">20</Token> <Token id="content" type="str" depth="1" offset="11">\x8F</Token> <Token id="byte_test" type="int" format="big" oper="greater" relative="1" size="2">32768</Token> </Rule> </RuleList> <RuleList name="shellcode.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE SGI NOOP" sid="2552" enabled="0"> <Token id="content" type="str">\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%\x03\xE0\xF8%</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE SGI NOOP" sid="2556" enabled="0"> <Token id="content" type="str">$\x0F\x124$\x0F\x124$\x0F\x124$\x0F\x124</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE AIX NOOP" sid="2560" enabled="0"> <Token id="content" type="str">O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82O\xFF\xFB\x82</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE Digital UNIX NOOP" sid="2564" enabled="0"> <Token id="content" type="str">G\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1FG\xFF\x04\x1F</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE HP-UX NOOP" sid="2568" enabled="0"> <Token id="content" type="str">\b!\x02\x80\b!\x02\x80\b!\x02\x80\b!\x02\x80</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE HP-UX NOOP" sid="2572" enabled="0"> <Token id="content" type="str">\v9\x02\x80\v9\x02\x80\v9\x02\x80\v9\x02\x80</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE sparc NOOP" sid="2576" enabled="0"> <Token id="content" type="str">\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6\x13\xC0\x1C\xA6</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE sparc NOOP" sid="2580" enabled="0"> <Token id="content" type="str">\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11\x80\x1C@\x11</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE sparc NOOP" sid="2584" enabled="0"> <Token id="content" type="str">\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13\xA6\x1C\xC0\x13</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE sparc setuid 0" sid="2588" enabled="0"> <Token id="content" type="str">\x82\x10 \x17\x91\xD0 \b</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 NOOP" sid="2592" enabled="0"> <Token id="content" type="str" depth="128">\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 setgid 0" sid="2596" enabled="0"> <Token id="content" type="str">\xB0\xB5\xCD\x80</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 setuid 0" sid="2600" enabled="0"> <Token id="content" type="str">\xB0\x17\xCD\x80</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 stealth NOOP" sid="2604" enabled="0"> <Token id="content" type="str">\xEB\x02\xEB\x02\xEB\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE Linux shellcode" sid="2608" enabled="0"> <Token id="content" type="str">\x90\x90\x90\xE8\xC0\xFF\xFF\xFF/bin/sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 unicode NOOP" sid="2612" enabled="0"> <Token id="content" type="str">\x90\0\x90\0\x90\0\x90\0\x90\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 inc ebx NOOP" sid="5560" enabled="0"> <Token id="content" type="str">CCCCCCCCCCCCCCCCCCCCCCCC</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 NOOP" sid="5576" enabled="0"> <Token id="content" type="str">aaaaaaaaaaaaaaaaaaaaa</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 0xEB0C NOOP" sid="5696" enabled="0"> <Token id="content" type="str">\xEB\f\xEB\f\xEB\f\xEB\f\xEB\f\xEB\f\xEB\f\xEB\f</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 0x71FB7BAB NOOP" sid="9248" enabled="0"> <Token id="content" type="str">q\xFB{\xABq\xFB{\xABq\xFB{\xABq\xFB{\xAB</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 0x71FB7BAB NOOP unicode" sid="9252" enabled="0"> <Token id="content" type="str">q\0\xFB\0{\0\xAB\0q\0\xFB\0{\0\xAB\0q\0\xFB\0{\0\xAB\0q\0\xFB\0{\0\xAB\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="ip" locaddr_id="home_net" remaddr_id="external_net" name="SHELLCODE x86 0x90 NOOP unicode" sid="9256" enabled="0"> <Token id="content" type="str">\x90\0\x90\0\x90\0\x90\0\x90\0\x90\0\x90\0\x90\0</Token> </Rule> </RuleList> <RuleList name="sql.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL sp_start_job - program execution" sid="2692"> <Token id="content" type="str" nocase="1">s\0p\0_\0s\0t\0a\0r\0t\0_\0j\0o\0b\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_displayparamstmt possible buffer overflow" sid="2696"> <Token id="content" type="str" nocase="1">x\0p\0_\0d\0i\0s\0p\0l\0a\0y\0p\0a\0r\0a\0m\0s\0t\0m\0t</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_setsqlsecurity possible buffer overflow" sid="2700"> <Token id="content" type="str" nocase="1">x\0p\0_\0s\0e\0t\0s\0q\0l\0s\0e\0c\0u\0r\0i\0t\0y\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB sp_start_job - program execution" sid="2704"> <Token id="content" type="str" depth="32" nocase="1" offset="32">s\0p\0_\0s\0t\0a\0r\0t\0_\0j\0o\0b\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB sp_password password change" sid="2708"> <Token id="content" type="str" nocase="1">s\0p\0_\0p\0a\0s\0s\0w\0o\0r\0d\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB sp_delete_alert log file deletion" sid="2712"> <Token id="content" type="str" nocase="1">s\0p\0_\0d\0e\0l\0e\0t\0e\0_\0a\0l\0e\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB sp_adduser database user creation" sid="2716"> <Token id="content" type="str" depth="32" nocase="1" offset="32">s\0p\0_\0a\0d\0d\0u\0s\0e\0r\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB sa login failed" sid="2720"> <Token id="content" type="str" offset="83">Login failed for user 'sa'</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_cmdshell program execution" sid="2724"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0c\0m\0d\0s\0h\0e\0l\0l\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_enumresultset possible buffer overflow" sid="2728"> <Token id="content" type="str" nocase="1">x\0p\0_\0e\0n\0u\0m\0r\0e\0s\0u\0l\0t\0s\0e\0t\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL sp_password - password change" sid="2732"> <Token id="content" type="str" nocase="1">s\0p\0_\0p\0a\0s\0s\0w\0o\0r\0d\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL sp_delete_alert log file deletion" sid="2736"> <Token id="content" type="str" nocase="1">s\0p\0_\0d\0e\0l\0e\0t\0e\0_\0a\0l\0e\0r\0t\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL sp_adduser - database user creation" sid="2740"> <Token id="content" type="str" nocase="1">s\0p\0_\0a\0d\0d\0u\0s\0e\0r\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_reg* - registry access" sid="2744"> <Token id="content" type="str" nocase="1">x\0p\0_\0r\0e\0g\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_cmdshell - program execution" sid="2748"> <Token id="content" type="str" nocase="1">x\0p\0_\0c\0m\0d\0s\0h\0e\0l\0l\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL sa login failed" sid="2752"> <Token id="content" type="str">Login failed for user 'sa'</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_reg* registry access" sid="2756"> <Token id="content" type="str" depth="32" nocase="1" offset="32">x\0p\0_\0r\0e\0g\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_printstatements possible buffer overflow" sid="2760"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0p\0r\0i\0n\0t\0s\0t\0a\0t\0e\0m\0e\0n\0t\0s\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL shellcode attempt" sid="2764"> <Token id="content" type="str">9 \xD0\0\x92\x01\xC2\0R\0U\09 \xEC\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB shellcode attempt" sid="2768"> <Token id="content" type="str">9 \xD0\0\x92\x01\xC2\0R\0U\09 \xEC\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL shellcode attempt" sid="2772"> <Token id="content" type="str">H\0%\0x\0w\0\x90\0\x90\0\x90\0\x90\0\x90\03\0\xC0\0P\0h\0.\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB shellcode attempt" sid="2776"> <Token id="content" type="str">H\0%\0x\0w\0\x90\0\x90\0\x90\0\x90\0\x90\03\0\xC0\0P\0h\0.\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_sprintf possible buffer overflow" sid="2780"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0s\0p\0r\0i\0n\0t\0f\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_showcolv possible buffer overflow" sid="2784"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0s\0h\0o\0w\0c\0o\0l\0v\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_peekqueue possible buffer overflow" sid="2788"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0p\0e\0e\0k\0q\0u\0e\0u\0e\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_proxiedmetadata possible buffer overflow" sid="2792"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0p\0r\0o\0x\0i\0e\0d\0m\0e\0t\0a\0d\0a\0t\0a\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_printstatements possible buffer overflow" sid="2796"> <Token id="content" type="str" nocase="1">x\0p\0_\0p\0r\0i\0n\0t\0s\0t\0a\0t\0e\0m\0e\0n\0t\0s\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_updatecolvbm possible buffer overflow" sid="2800"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0u\0p\0d\0a\0t\0e\0c\0o\0l\0v\0b\0m\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_updatecolvbm possible buffer overflow" sid="2804"> <Token id="content" type="str" nocase="1">x\0p\0_\0u\0p\0d\0a\0t\0e\0c\0o\0l\0v\0b\0m\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_displayparamstmt possible buffer overflow" sid="2808"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0d\0i\0s\0p\0l\0a\0y\0p\0a\0r\0a\0m\0s\0t\0m\0t\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_setsqlsecurity possible buffer overflow" sid="2812"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0s\0e\0t\0s\0q\0l\0s\0e\0c\0u\0r\0i\0t\0y\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_sprintf possible buffer overflow" sid="2816"> <Token id="content" type="str" nocase="1">x\0p\0_\0s\0p\0r\0i\0n\0t\0f\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_showcolv possible buffer overflow" sid="2820"> <Token id="content" type="str" nocase="1">x\0p\0_\0s\0h\0o\0w\0c\0o\0l\0v\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_peekqueue possible buffer overflow" sid="2824"> <Token id="content" type="str" nocase="1">x\0p\0_\0p\0e\0e\0k\0q\0u\0e\0u\0e\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL xp_proxiedmetadata possible buffer overflow" sid="2828"> <Token id="content" type="str" nocase="1">x\0p\0_\0p\0r\0o\0x\0i\0e\0d\0m\0e\0t\0a\0d\0a\0t\0a\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB xp_enumresultset possible buffer overflow" sid="2832"> <Token id="content" type="str" nocase="1" offset="32">x\0p\0_\0e\0n\0u\0m\0r\0e\0s\0u\0l\0t\0s\0e\0t\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="139" remport="*" name="MS-SQL/SMB raiserror possible buffer overflow" sid="5544"> <Token id="content" type="str" nocase="1" offset="32">r\0a\0i\0s\0e\0r\0r\0o\0r\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="1433" remport="*" name="MS-SQL raiserror possible buffer overflow" sid="5548"> <Token id="content" type="str" nocase="1">r\0a\0i\0s\0e\0r\0r\0o\0r\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="sql_servers" remaddr_id="external_net" locport="445" remport="*" name="MS-SQL xp_cmdshell program execution 445" sid="7036"> <Token id="content" type="str" nocase="1">x\0p\0_\0c\0m\0d\0s\0h\0e\0l\0l\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1434" remport="*" name="MS-SQL Worm propagation attempt" sid="8012"> <Token id="content" type="str" depth="1">\x04</Token> <Token id="content" type="str">\x81\xF1\x03\x01\x04\x9B\x81\xF1\x01</Token> <Token id="content" type="str">sock</Token> <Token id="content" type="str">send</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="1434" name="MS-SQL Worm propagation attempt OUTBOUND" sid="8016"> <Token id="content" type="str" depth="1">\x04</Token> <Token id="content" type="str">\x81\xF1\x03\x01\x04\x9B\x81\xF1</Token> <Token id="content" type="str">sock</Token> <Token id="content" type="str">send</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1434" remport="*" name="MS-SQL ping attempt" sid="8196"> <Token id="content" type="str" depth="1">\x02</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="home_net" remaddr_id="external_net" locport="1434" remport="*" name="MS-SQL version overflow attempt" sid="8200"> <Token id="dsize" type="int" rel="greater">100</Token> <Token id="content" type="str" depth="1">\x04</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="udp" locaddr_id="sql_servers" remaddr_id="external_net" locport="*" remport="*" name="MS-SQL probe response overflow attempt" sid="9316"> <Token id="content" type="str" depth="1">\x05</Token> <Token id="byte_test" type="int" format="big" offset="1" oper="greater" size="2">512</Token> <Token id="content" type="str" distance="0">;</Token> <Token id="isdataat" type="int" rel="relative">512</Token> <Token id="content" type="str" complement="1" within="512">;</Token> </Rule> </RuleList> <RuleList name="telnet.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET 4Dgifts SGI account attempt" sid="2836"> <Token id="content" type="str">4Dgifts</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET EZsetup account attempt" sid="2840"> <Token id="content" type="str">OutOfBox</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET SGI telnetd format bug" sid="2844"> <Token id="content" type="str">_RLD</Token> <Token id="content" type="str">bin/sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET ld_library_path" sid="2848"> <Token id="content" type="str">ld_library_path</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET livingston DOS" sid="2852"> <Token id="content" type="str">\xFF\xF3\xFF\xF3\xFF\xF3\xFF\xF3\xFF\xF3</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET resolv_host_conf" sid="2856"> <Token id="content" type="str">resolv_host_conf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET Attempted SU from wrong group" sid="2860"> <Token id="content" type="str" nocase="1">to su root</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET access" sid="2864"> <Token id="content" type="str">\xFF\xFD</Token> <Token id="content" type="str" distance="0">\xFF\xFD</Token> <Token id="content" type="str" distance="0">\xFF\xFD</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET not on console" sid="2868"> <Token id="content" type="str" nocase="1">not on system console</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET login incorrect" sid="2872"> <Token id="content" type="str">Login incorrect</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET root login" sid="2876"> <Token id="content" type="str">login: root</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET bsd telnet exploit response" sid="5008"> <Token id="content" type="str">\r\n[Yes]\r\n\xFF\xFE\b\xFF\xFD&</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET bsd exploit client finishing" sid="5012"> <Token id="dsize" type="int" rel="greater">200</Token> <Token id="content" type="str" depth="50" offset="200">\xFF\xF6\xFF\xF6\xFF\xFB\b\xFF\xF6</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET Solaris memory mismanagement exploit attempt" sid="5720"> <Token id="content" type="str">\xA0#\xA0\x10\xAE#\x80\x10\xEE#\xBF\xEC\x82\x05\xE0\xD6\x90%\xE0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="telnet_servers" remaddr_id="external_net" locport="23" remport="*" name="TELNET APC SmartSlot default admin account attempt" sid="9624"> <Token id="content" type="str">TENmanUFactOryPOWER</Token> </Rule> </RuleList> <RuleList name="virus.rules"> <Rule al="Monitor" ar="Allow" dir="out" prot="tcp" locaddr_id="home_net" remaddr_id="external_net" locport="*" remport="25" name="VIRUS OUTBOUND bad file attachment" sid="2884" enabled="0"> <Token id="content" type="str" nocase="1">Content-Disposition:</Token> <Token id="pcre" type="str">=/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR</Token> </Rule> </RuleList> <RuleList name="web-cgi.rules"> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI HyperSeek hsx.cgi directory traversal attempt" sid="3212"> <Token id="content" type="str" uricont="1">/hsx.cgi</Token> <Token id="content" type="str">../../</Token> <Token id="content" type="str" distance="1">%00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI SWSoft ASPSeek Overflow attempt" sid="3216"> <Token id="content" type="str" nocase="1" uricont="1">/s.cgi</Token> <Token id="content" type="str">tmpl=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webspeed access" sid="3220"> <Token id="content" type="str" nocase="1" uricont="1">/wsisa.dll/WService=</Token> <Token id="content" type="str" nocase="1">WSMadmin</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI yabb directory traversal attempt" sid="3224"> <Token id="content" type="str" nocase="1" uricont="1">/YaBB</Token> <Token id="content" type="str">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /wwwboard/passwd.txt access" sid="3228"> <Token id="content" type="str" nocase="1" uricont="1">/wwwboard/passwd.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webdriver access" sid="3232"> <Token id="content" type="str" nocase="1" uricont="1">/webdriver</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI whois_raw.cgi arbitrary command execution attempt" sid="3236"> <Token id="content" type="str" uricont="1">/whois_raw.cgi?</Token> <Token id="content" type="str">\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI whois_raw.cgi access" sid="3240"> <Token id="content" type="str" uricont="1">/whois_raw.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI websitepro path access" sid="3244"> <Token id="content" type="str" nocase="1"> /HTTP/1.</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webplus version access" sid="3248"> <Token id="content" type="str" nocase="1" uricont="1">/webplus?about</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webplus directory traversal" sid="3252"> <Token id="content" type="str" nocase="1" uricont="1">/webplus?script</Token> <Token id="content" type="str">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI websendmail access" sid="3260"> <Token id="content" type="str" nocase="1" uricont="1">/websendmail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dcboard.cgi invalid user addition attempt" sid="3268"> <Token id="content" type="str" uricont="1">/dcboard.cgi</Token> <Token id="content" type="str">command=register</Token> <Token id="content" type="str">%7cadmin</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dcforum.cgi access" sid="3272"> <Token id="content" type="str" uricont="1">/dcforum.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI mmstdod.cgi access" sid="3276"> <Token id="content" type="str" nocase="1" uricont="1">/mmstdod.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI anaconda directory transversal attempt" sid="3280"> <Token id="content" type="str" uricont="1">/apexec.pl</Token> <Token id="content" type="str" nocase="1">template=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI imagemap.exe overflow attempt" sid="3284"> <Token id="content" type="str" nocase="1" uricont="1">/imagemap.exe?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cvsweb.cgi access" sid="3292"> <Token id="content" type="str" nocase="1" uricont="1">/cvsweb.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI php.cgi access" sid="3296"> <Token id="content" type="str" nocase="1" uricont="1">/php.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI glimpse access" sid="3300"> <Token id="content" type="str" nocase="1" uricont="1">/glimpse</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI htmlscript access" sid="3304"> <Token id="content" type="str" nocase="1" uricont="1">/htmlscript</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI info2www access" sid="3308"> <Token id="content" type="str" nocase="1" uricont="1">/info2www</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI maillist.pl access" sid="3312"> <Token id="content" type="str" nocase="1" uricont="1">/maillist.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI nph-test-cgi access" sid="3316"> <Token id="content" type="str" nocase="1" uricont="1">/nph-test-cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI NPH-publish access" sid="3320"> <Token id="content" type="str" nocase="1" uricont="1">/nph-publish</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI perl.exe access" sid="3328"> <Token id="content" type="str" nocase="1" uricont="1">/perl.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI rguest.exe access" sid="3332"> <Token id="content" type="str" nocase="1" uricont="1">/rguest.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI rwwwshell.pl access" sid="3336"> <Token id="content" type="str" nocase="1" uricont="1">/rwwwshell.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI test-cgi access" sid="3340"> <Token id="content" type="str" nocase="1" uricont="1">/test-cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI textcounter.pl access" sid="3344"> <Token id="content" type="str" nocase="1" uricont="1">/textcounter.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI uploader.exe access" sid="3348"> <Token id="content" type="str" nocase="1" uricont="1">/uploader.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webgais access" sid="3352"> <Token id="content" type="str" nocase="1" uricont="1">/webgais</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI finger access" sid="3356"> <Token id="content" type="str" nocase="1" uricont="1">/finger</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI perlshop.cgi access" sid="3360"> <Token id="content" type="str" nocase="1" uricont="1">/perlshop.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pfdisplay.cgi access" sid="3364"> <Token id="content" type="str" nocase="1" uricont="1">/pfdisplay.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI aglimpse access" sid="3368"> <Token id="content" type="str" nocase="1" uricont="1">/aglimpse</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI anform2 access" sid="3372"> <Token id="content" type="str" nocase="1" uricont="1">/AnForm2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI args.bat access" sid="3376"> <Token id="content" type="str" nocase="1" uricont="1">/args.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI AT-admin.cgi access" sid="3380"> <Token id="content" type="str" nocase="1" uricont="1">/AT-admin.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bnbform.cgi access" sid="3384"> <Token id="content" type="str" nocase="1" uricont="1">/bnbform.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI campas access" sid="3388"> <Token id="content" type="str" nocase="1" uricont="1">/campas</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI view-source directory traversal" sid="3392"> <Token id="content" type="str" nocase="1" uricont="1">/view-source</Token> <Token id="content" type="str" nocase="1">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI view-source access" sid="3396"> <Token id="content" type="str" nocase="1" uricont="1">/view-source</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI wais.pl access" sid="3400"> <Token id="content" type="str" nocase="1" uricont="1">/wais.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI files.pl access" sid="3404"> <Token id="content" type="str" nocase="1" uricont="1">/files.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI wguest.exe access" sid="3408"> <Token id="content" type="str" nocase="1" uricont="1">/wguest.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI wrap access" sid="3412"> <Token id="content" type="str" uricont="1">/wrap</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI classifieds.cgi access" sid="3416"> <Token id="content" type="str" nocase="1" uricont="1">/classifieds.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI environ.cgi access" sid="3424"> <Token id="content" type="str" nocase="1" uricont="1">/environ.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI faxsurvey access" sid="3428"> <Token id="content" type="str" nocase="1" uricont="1">/faxsurvey</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI filemail access" sid="3432"> <Token id="content" type="str" nocase="1" uricont="1">/filemail.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI man.sh access" sid="3436"> <Token id="content" type="str" nocase="1" uricont="1">/man.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI snork.bat access" sid="3440"> <Token id="content" type="str" nocase="1" uricont="1">/snork.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI w3-msql access" sid="3444"> <Token id="content" type="str" nocase="1" uricont="1">/w3-msql/</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI csh access" sid="3448"> <Token id="content" type="str" nocase="1" uricont="1">/csh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI day5datacopier.cgi access" sid="3452"> <Token id="content" type="str" nocase="1" uricont="1">/day5datacopier.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI day5datanotifier.cgi access" sid="3456"> <Token id="content" type="str" nocase="1" uricont="1">/day5datanotifier.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ksh access" sid="3460"> <Token id="content" type="str" nocase="1" uricont="1">/ksh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI post-query access" sid="3464"> <Token id="content" type="str" nocase="1" uricont="1">/post-query</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI visadmin.exe access" sid="3468"> <Token id="content" type="str" nocase="1" uricont="1">/visadmin.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI rsh access" sid="3472"> <Token id="content" type="str" nocase="1" uricont="1">/rsh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dumpenv.pl access" sid="3476"> <Token id="content" type="str" nocase="1" uricont="1">/dumpenv.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI snorkerz.cmd access" sid="3480"> <Token id="content" type="str" nocase="1" uricont="1">/snorkerz.cmd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI survey.cgi access" sid="3484"> <Token id="content" type="str" nocase="1" uricont="1">/survey.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI tcsh access" sid="3488"> <Token id="content" type="str" nocase="1" uricont="1">/tcsh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI scriptalias access" sid="3492"> <Token id="content" type="str" uricont="1">///</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI win-c-sample.exe access" sid="3500"> <Token id="content" type="str" nocase="1" uricont="1">/win-c-sample.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI rksh access" sid="3508"> <Token id="content" type="str" nocase="1" uricont="1">/rksh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI w3tvars.pm access" sid="3512"> <Token id="content" type="str" nocase="1" uricont="1">/w3tvars.pm</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI admin.pl access" sid="3516"> <Token id="content" type="str" nocase="1" uricont="1">/admin.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI LWGate access" sid="3520"> <Token id="content" type="str" nocase="1" uricont="1">/LWGate</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI archie access" sid="3524"> <Token id="content" type="str" nocase="1" uricont="1">/archie</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI calendar access" sid="3528"> <Token id="content" type="str" nocase="1" uricont="1">/calendar</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI flexform access" sid="3532"> <Token id="content" type="str" nocase="1" uricont="1">/flexform</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI formmail access" sid="3536"> <Token id="content" type="str" nocase="1" uricont="1">/formmail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bash access" sid="3540"> <Token id="content" type="str" nocase="1" uricont="1">/bash</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI phf access" sid="3544"> <Token id="content" type="str" nocase="1" uricont="1">/phf</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI www-sql access" sid="3548"> <Token id="content" type="str" nocase="1" uricont="1">/www-sql</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI wwwadmin.pl access" sid="3552"> <Token id="content" type="str" nocase="1" uricont="1">/wwwadmin.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ppdscgi.exe access" sid="3556"> <Token id="content" type="str" nocase="1" uricont="1">/ppdscgi.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI sendform.cgi access" sid="3560"> <Token id="content" type="str" nocase="1" uricont="1">/sendform.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI upload.pl access" sid="3564"> <Token id="content" type="str" nocase="1" uricont="1">/upload.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI AnyForm2 access" sid="3568"> <Token id="content" type="str" nocase="1" uricont="1">/AnyForm2</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI MachineInfo access" sid="3572"> <Token id="content" type="str" nocase="1" uricont="1">/MachineInfo</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-hist.sh access" sid="3576"> <Token id="content" type="str" nocase="1" uricont="1">/bb-hist.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI redirect access" sid="3580"> <Token id="content" type="str" nocase="1" uricont="1">/redirect</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI way-board access" sid="3584"> <Token id="content" type="str" nocase="1" uricont="1">/way-board</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pals-cgi access" sid="3588"> <Token id="content" type="str" nocase="1" uricont="1">/pals-cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI commerce.cgi access" sid="3592"> <Token id="content" type="str" nocase="1" uricont="1">/commerce.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Amaya templates sendtemp.pl directory traversal attempt" sid="3596"> <Token id="content" type="str" nocase="1" uricont="1">/sendtemp.pl</Token> <Token id="content" type="str" nocase="1">templ=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webspirs.cgi directory traversal attempt" sid="3600"> <Token id="content" type="str" nocase="1" uricont="1">/webspirs.cgi</Token> <Token id="content" type="str" nocase="1">../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webspirs.cgi access" sid="3604"> <Token id="content" type="str" nocase="1" uricont="1">/webspirs.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI tstisapi.dll access" sid="3608"> <Token id="content" type="str" nocase="1" uricont="1">tstisapi.dll</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI technote main.cgi file directory traversal attempt" sid="4204"> <Token id="content" type="str" nocase="1" uricont="1">/technote/main.cgi</Token> <Token id="content" type="str" nocase="1">filename=</Token> <Token id="content" type="str">../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI technote print.cgi directory traversal attempt" sid="4208"> <Token id="content" type="str" nocase="1" uricont="1">/technote/print.cgi</Token> <Token id="content" type="str" nocase="1">board=</Token> <Token id="content" type="str">../../</Token> <Token id="content" type="str">%00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ads.cgi command execution attempt" sid="4212"> <Token id="content" type="str" nocase="1" uricont="1">/ads.cgi</Token> <Token id="content" type="str" nocase="1">file=</Token> <Token id="content" type="str">../../</Token> <Token id="content" type="str">|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI eXtropia webstore directory traversal" sid="4352"> <Token id="content" type="str" uricont="1">/web_store.cgi</Token> <Token id="content" type="str">page=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI shopping cart directory traversal" sid="4356"> <Token id="content" type="str" uricont="1">/shop.cgi</Token> <Token id="content" type="str">page=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Allaire Pro Web Shell attempt" sid="4360"> <Token id="content" type="str" uricont="1">/authenticate.cgi?PASSWORD</Token> <Token id="content" type="str">config.ini</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Armada Style Master Index directory traversal" sid="4368"> <Token id="content" type="str" uricont="1">/search.cgi?keys</Token> <Token id="content" type="str">catigory=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cached_feed.cgi moreover shopping cart directory traversal" sid="4372"> <Token id="content" type="str" uricont="1">/cached_feed.cgi</Token> <Token id="content" type="str">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Talentsoft Web+ exploit attempt" sid="4388"> <Token id="content" type="str" uricont="1">/webplus.cgi?Script=/webplus/webping/webping.wml</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Poll-it access" sid="4424"> <Token id="content" type="str" nocase="1" uricont="1">/pollit/Poll_It_SSI_v2.0.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI count.cgi access" sid="4596"> <Token id="content" type="str" nocase="1" uricont="1">/count.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI webdist.cgi access" sid="4652"> <Token id="content" type="str" nocase="1" uricont="1">/webdist.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bigconf.cgi access" sid="4688"> <Token id="content" type="str" nocase="1" uricont="1">/bigconf.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /cgi-bin/jj access" sid="4696"> <Token id="content" type="str" nocase="1" uricont="1">/cgi-bin/jj</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bizdbsearch attempt" sid="4740"> <Token id="content" type="str" nocase="1" uricont="1">/bizdb1-search.cgi</Token> <Token id="content" type="str" nocase="1">mail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI sojourn.cgi File attempt" sid="4776"> <Token id="content" type="str" uricont="1">/sojourn.cgi?cat=</Token> <Token id="content" type="str" nocase="1">%00</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI sojourn.cgi access" sid="4780"> <Token id="content" type="str" nocase="1" uricont="1">/sojourn.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI SGI InfoSearch fname attempt" sid="4784"> <Token id="content" type="str" uricont="1">/infosrch.cgi?</Token> <Token id="content" type="str" nocase="1">fname=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ax-admin.cgi access" sid="4816"> <Token id="content" type="str" uricont="1">/ax-admin.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI axs.cgi access" sid="4820"> <Token id="content" type="str" uricont="1">/axs.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cachemgr.cgi access" sid="4824"> <Token id="content" type="str" uricont="1">/cachemgr.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI responder.cgi access" sid="4832"> <Token id="content" type="str" uricont="1">/responder.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI web-map.cgi access" sid="4844"> <Token id="content" type="str" uricont="1">/web-map.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ministats admin access" sid="4860"> <Token id="content" type="str" nocase="1" uricont="1">/ministats/admin.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dfire.cgi access" sid="4876"> <Token id="content" type="str" nocase="1" uricont="1">/dfire.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pals-cgi arbitrary file access attempt" sid="4888"> <Token id="content" type="str" nocase="1" uricont="1">/pals-cgi</Token> <Token id="content" type="str">documentName=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI txt2html.cgi access" sid="5216"> <Token id="content" type="str" nocase="1" uricont="1">/txt2html.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI txt2html.cgi directory traversal attempt" sid="5220"> <Token id="content" type="str" nocase="1" uricont="1">/txt2html.cgi</Token> <Token id="content" type="str">/../../../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI store.cgi access" sid="5228"> <Token id="content" type="str" nocase="1" uricont="1">/store.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI sendmessage.cgi access" sid="5232"> <Token id="content" type="str" nocase="1" uricont="1">/sendmessage.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI zsh access" sid="5236"> <Token id="content" type="str" nocase="1" uricont="1">/zsh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI lastlines.cgi access" sid="5568"> <Token id="content" type="str" nocase="1" uricont="1">/lastlines.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI zml.cgi attempt" sid="5580"> <Token id="content" type="str" uricont="1">/zml.cgi</Token> <Token id="content" type="str">file=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI zml.cgi access" sid="5584"> <Token id="content" type="str" uricont="1">/zml.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI wayboard attempt" sid="5588"> <Token id="content" type="str" uricont="1">/way-board/way-board.cgi</Token> <Token id="content" type="str">db=</Token> <Token id="content" type="str" nocase="1">../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI AHG search.cgi access" sid="5620"> <Token id="content" type="str" nocase="1" uricont="1">/publisher/search.cgi</Token> <Token id="content" type="str" nocase="1">template=</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI agora.cgi access" sid="5624"> <Token id="content" type="str" nocase="1" uricont="1">/store/agora.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dcboard.cgi access" sid="5640"> <Token id="content" type="str" uricont="1">/dcboard.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI NPH-publish access" sid="5804"> <Token id="content" type="str" nocase="1" uricont="1">/nph-maillist.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI args.cmd access" sid="5808"> <Token id="content" type="str" nocase="1" uricont="1">/args.cmd</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI AT-generated.cgi access" sid="5812"> <Token id="content" type="str" nocase="1" uricont="1">/AT-generated.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI wwwwais access" sid="5816"> <Token id="content" type="str" nocase="1" uricont="1">/wwwwais</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI calender.pl access" sid="5820"> <Token id="content" type="str" nocase="1" uricont="1">/calender.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI user_update_admin.pl access" sid="5828"> <Token id="content" type="str" nocase="1" uricont="1">/user_update_admin.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI user_update_passwd.pl access" sid="5832"> <Token id="content" type="str" nocase="1" uricont="1">/user_update_passwd.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-histlog.sh access" sid="5836"> <Token id="content" type="str" nocase="1" uricont="1">/bb-histlog.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-histsvc.sh access" sid="5840"> <Token id="content" type="str" nocase="1" uricont="1">/bb-histsvc.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-rep.sh access" sid="5844"> <Token id="content" type="str" nocase="1" uricont="1">/bb-rep.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-replog.sh access" sid="5848"> <Token id="content" type="str" nocase="1" uricont="1">/bb-replog.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI auktion.cgi access" sid="5860"> <Token id="content" type="str" nocase="1" uricont="1">/auktion.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cgiforum.pl access" sid="5864"> <Token id="content" type="str" nocase="1" uricont="1">/cgiforum.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI directorypro.cgi access" sid="5868"> <Token id="content" type="str" nocase="1" uricont="1">/directorypro.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Web Shopper shopper.cgi attempt" sid="5872"> <Token id="content" type="str" nocase="1" uricont="1">/shopper.cgi</Token> <Token id="content" type="str" nocase="1">newpage=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Web Shopper shopper.cgi access" sid="5876"> <Token id="content" type="str" nocase="1" uricont="1">/shopper.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI listrec.pl access" sid="5880"> <Token id="content" type="str" nocase="1" uricont="1">/listrec.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI mailnews.cgi access" sid="5884"> <Token id="content" type="str" nocase="1" uricont="1">/mailnews.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI book.cgi access" sid="5888"> <Token id="content" type="str" nocase="1" uricont="1">/book.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI newsdesk.cgi access" sid="5892"> <Token id="content" type="str" nocase="1" uricont="1">/newsdesk.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cal_make.pl access" sid="5896"> <Token id="content" type="str" nocase="1" uricont="1">/cal_make.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI mailit.pl access" sid="5900"> <Token id="content" type="str" nocase="1" uricont="1">/mailit.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI sdbsearch.cgi access" sid="5904"> <Token id="content" type="str" nocase="1" uricont="1">/sdbsearch.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI swc access" sid="5912"> <Token id="content" type="str" nocase="1" uricont="1">/swc</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ttawebtop.cgi arbitrary file attempt" sid="5916"> <Token id="content" type="str" nocase="1" uricont="1">/ttawebtop.cgi</Token> <Token id="content" type="str" nocase="1">pg=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ttawebtop.cgi access" sid="5920"> <Token id="content" type="str" nocase="1" uricont="1">/ttawebtop.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI upload.cgi access" sid="5924"> <Token id="content" type="str" nocase="1" uricont="1">/upload.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI view_source access" sid="5928"> <Token id="content" type="str" nocase="1" uricont="1">/view_source</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ustorekeeper.pl access" sid="5932"> <Token id="content" type="str" nocase="1" uricont="1">/ustorekeeper.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI store.cgi directory traversal attempt" sid="5952"> <Token id="content" type="str" nocase="1" uricont="1">/store.cgi</Token> <Token id="content" type="str">../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI SIX webboard generate.cgi attempt" sid="5976"> <Token id="content" type="str" uricont="1">/generate.cgi</Token> <Token id="content" type="str">content=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI SIX webboard generate.cgi access" sid="5980"> <Token id="content" type="str" uricont="1">/generate.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI spin_client.cgi access" sid="5984"> <Token id="content" type="str" uricont="1">/spin_client.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI a1stats a1disp3.cgi directory traversal attempt" sid="6004"> <Token id="content" type="str" uricont="1">/a1disp3.cgi?/../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI a1stats a1disp3.cgi access" sid="6008"> <Token id="content" type="str" uricont="1">/a1disp3.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI admentor admin.asp access" sid="6012"> <Token id="content" type="str" uricont="1">/admentor/admin/admin.asp</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI alchemy http server PRN arbitrary command execution attempt" sid="6020"> <Token id="content" type="str" uricont="1">/PRN/../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI alchemy http server NUL arbitrary command execution attempt" sid="6024"> <Token id="content" type="str" uricont="1">/NUL/../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI alibaba.pl arbitrary command execution attempt" sid="6028"> <Token id="content" type="str" uricont="1">/alibaba.pl|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI alibaba.pl access" sid="6032"> <Token id="content" type="str" uricont="1">/alibaba.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI AltaVista Intranet Search directory traversal attempt" sid="6036"> <Token id="content" type="str" uricont="1">/query?mss=..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI test.bat arbitrary command execution attempt" sid="6040"> <Token id="content" type="str" uricont="1">/test.bat|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI test.bat access" sid="6044"> <Token id="content" type="str" uricont="1">/test.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI input.bat arbitrary command execution attempt" sid="6048"> <Token id="content" type="str" uricont="1">/input.bat|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI input.bat access" sid="6052"> <Token id="content" type="str" uricont="1">/input.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI input2.bat arbitrary command execution attempt" sid="6056"> <Token id="content" type="str" uricont="1">/input2.bat|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI input2.bat access" sid="6060"> <Token id="content" type="str" uricont="1">/input2.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI envout.bat arbitrary command execution attempt" sid="6064"> <Token id="content" type="str" uricont="1">/envout.bat|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI envout.bat access" sid="6068"> <Token id="content" type="str" uricont="1">/envout.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-hist.sh attempt" sid="6124"> <Token id="content" type="str" nocase="1" uricont="1">/bb-hist.sh?HISTFILE=../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-hostscv.sh attempt" sid="6128"> <Token id="content" type="str" nocase="1" uricont="1">/bb-hostsvc.sh?HOSTSVC?../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bb-hostscv.sh access" sid="6132"> <Token id="content" type="str" nocase="1" uricont="1">/bb-hostsvc.sh</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI agora.cgi attempt" sid="6136"> <Token id="content" type="str" nocase="1" uricont="1">/store/agora.cgi?cart_id=<SCRIPT></Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bizdbsearch access" sid="6140"> <Token id="content" type="str" nocase="1" uricont="1">/bizdb1-search.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI calendar_admin.pl arbitrary command execution attempt" sid="6144"> <Token id="content" type="str" uricont="1">/calendar_admin.pl?config=|</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI calendar_admin.pl access" sid="6148"> <Token id="content" type="str" uricont="1">/calendar_admin.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /cgi-bin/ls access" sid="6156"> <Token id="content" type="str" nocase="1" uricont="1">/cgi-bin/ls</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cgimail access" sid="6168"> <Token id="content" type="str" nocase="1" uricont="1">/cgimail</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cgiwrap access" sid="6172"> <Token id="content" type="str" nocase="1" uricont="1">/cgiwrap</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI csSearch.cgi arbitrary command execution attempt" sid="6188"> <Token id="content" type="str" uricont="1">/csSearch.cgi</Token> <Token id="content" type="str">setup=</Token> <Token id="content" type="str">`</Token> <Token id="content" type="str" distance="1">`</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI csSearch.cgi access" sid="6192"> <Token id="content" type="str" uricont="1">/csSearch.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /cart/cart.cgi access" sid="6212"> <Token id="content" type="str" uricont="1">/cart/cart.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dbman db.cgi access" sid="6216"> <Token id="content" type="str" uricont="1">/dbman/db.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI DCShop access" sid="6220"> <Token id="content" type="str" nocase="1" uricont="1">/dcshop</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI DCShop orders.txt access" sid="6224"> <Token id="content" type="str" nocase="1" uricont="1">/orders/orders.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI DCShop auth_user_file.txt access" sid="6228"> <Token id="content" type="str" nocase="1" uricont="1">/auth_data/auth_user_file.txt</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI eshop.pl arbitrary commane execution attempt" sid="6260"> <Token id="content" type="str" nocase="1" uricont="1">/eshop.pl?seite=;</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI eshop.pl access" sid="6264"> <Token id="content" type="str" nocase="1" uricont="1">/eshop.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI loadpage.cgi directory traversal attempt" sid="6276"> <Token id="content" type="str" uricont="1">/loadpage.cgi</Token> <Token id="content" type="str" nocase="1">file=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI loadpage.cgi access" sid="6280"> <Token id="content" type="str" nocase="1" uricont="1">/loadpage.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI dcforum.cgi directory traversal attempt" sid="6284"> <Token id="content" type="str" uricont="1">/dcforum.cgi</Token> <Token id="content" type="str">forum=../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI commerce.cgi arbitrary file access attempt" sid="6288"> <Token id="content" type="str" uricont="1">/commerce.cgi</Token> <Token id="content" type="str">page=</Token> <Token id="content" type="str" nocase="1">/../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cgiforum.pl attempt" sid="6292"> <Token id="content" type="str" nocase="1" uricont="1">/cgiforum.pl?thesection=../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI directorypro.cgi attempt" sid="6296"> <Token id="content" type="str" uricont="1">/directorypro.cgi</Token> <Token id="content" type="str">show=</Token> <Token id="content" type="str" distance="1" nocase="1">../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI faqmanager.cgi arbitrary file access attempt" sid="6360"> <Token id="content" type="str" uricont="1">/faqmanager.cgi?toc=</Token> <Token id="content" type="str" nocase="1" uricont="1">\0</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI faqmanager.cgi access" sid="6364"> <Token id="content" type="str" nocase="1" uricont="1">/faqmanager.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /fcgi-bin/echo.exe access" sid="6368"> <Token id="content" type="str" nocase="1" uricont="1">/fcgi-bin/echo.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI FormHandler.cgi external site redirection attempt" sid="6372"> <Token id="content" type="str" nocase="1" uricont="1">/FormHandler.cgi</Token> <Token id="content" type="str">redirect=http</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI FormHandler.cgi access" sid="6376"> <Token id="content" type="str" nocase="1" uricont="1">/FormHandler.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI guestbook.cgi access" sid="6388"> <Token id="content" type="str" nocase="1" uricont="1">/guestbook.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Home Free search.cgi directory traversal attempt" sid="6392"> <Token id="content" type="str" uricont="1">/search.cgi</Token> <Token id="content" type="str" nocase="1">letter=../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI search.cgi access" sid="6396"> <Token id="content" type="str" nocase="1" uricont="1">/search.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI htsearch arbitrary configuration file attempt" sid="6400"> <Token id="content" type="str" nocase="1" uricont="1">/htsearch?-c</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI htsearch arbitrary file read attempt" sid="6404"> <Token id="content" type="str" nocase="1" uricont="1">/htsearch?exclude=`</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI htsearch access" sid="6408"> <Token id="content" type="str" nocase="1" uricont="1">/htsearch</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI icat access" sid="6424"> <Token id="content" type="str" uricont="1">/icat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI HyperSeek hsx.cgi access" sid="6428"> <Token id="content" type="str" uricont="1">/hsx.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI htmlscript attempt" sid="6432"> <Token id="content" type="str" nocase="1" uricont="1">/htmlscript?../..</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI formmail arbitrary command execution attempt" sid="6440"> <Token id="content" type="str" nocase="1" uricont="1">/formmail</Token> <Token id="content" type="str" nocase="1">%0a</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI eXtropia webstore access" sid="6444"> <Token id="content" type="str" uricont="1">/web_store.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Bugzilla doeditvotes.cgi access" sid="6468"> <Token id="content" type="str" uricont="1">/doeditvotes.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI FormHandler.cgi directory traversal attempt attempt" sid="6512"> <Token id="content" type="str" nocase="1" uricont="1">/FormHandler.cgi</Token> <Token id="content" type="str" nocase="1">reply_message_attach=</Token> <Token id="content" type="str">/../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI yabb access" sid="6548"> <Token id="content" type="str" nocase="1" uricont="1">/YaBB</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI document.d2w access" sid="6568"> <Token id="content" type="str" uricont="1">/document.d2w</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI db2www access" sid="6572"> <Token id="content" type="str" uricont="1">/db2www</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI test-cgi attempt" sid="6576"> <Token id="content" type="str" nocase="1" uricont="1">/test-cgi/*?*</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI testcgi access" sid="6580"> <Token id="content" type="str" nocase="1" uricont="1">/testcgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI test.cgi access" sid="6584"> <Token id="content" type="str" nocase="1" uricont="1">/test.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI perl.exe command attempt" sid="6592"> <Token id="content" type="str" nocase="1" uricont="1">/perl.exe?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI perl command attempt" sid="6596"> <Token id="content" type="str" nocase="1" uricont="1">/perl?</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI tst.bat access" sid="6600"> <Token id="content" type="str" uricont="1">/tst.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI enivorn.pl access" sid="6604"> <Token id="content" type="str" nocase="1" uricont="1">/enivron.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI campus attempt" sid="6608"> <Token id="content" type="str" nocase="1" uricont="1">/campus?\n</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI campus access" sid="6612"> <Token id="content" type="str" nocase="1" uricont="1">/campus</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cart32.exe access" sid="6616"> <Token id="content" type="str" nocase="1" uricont="1">/cart32.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pfdispaly.cgi arbitrary command execution attempt" sid="6620"> <Token id="content" type="str" nocase="1" uricont="1">/pfdispaly.cgi?'</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pfdispaly.cgi access" sid="6624"> <Token id="content" type="str" nocase="1" uricont="1">/pfdispaly.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pagelog.cgi directory traversal attempt" sid="6628"> <Token id="content" type="str" nocase="1" uricont="1">/pagelog.cgi</Token> <Token id="content" type="str" nocase="1">name=../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI pagelog.cgi access" sid="6632"> <Token id="content" type="str" nocase="1" uricont="1">/pagelog.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /cgi-bin/ access" sid="6672"> <Token id="content" type="str" uricont="1">/cgi-bin/</Token> <Token id="content" type="str" nocase="1">/cgi-bin/ HTTP</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI /cgi-dos/ access" sid="6676"> <Token id="content" type="str" uricont="1">/cgi-dos/</Token> <Token id="content" type="str" nocase="1">/cgi-dos/ HTTP</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI imagemap.exe access" sid="6800"> <Token id="content" type="str" nocase="1" uricont="1">/imagemap.exe</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI calendar-admin.pl access" sid="6804"> <Token id="content" type="str" nocase="1" uricont="1">/calendar-admin.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI Amaya templates sendtemp.pl access" sid="6808"> <Token id="content" type="str" nocase="1" uricont="1">/sendtemp.pl</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI auktion.cgi directory traversal attempt" sid="6812"> <Token id="content" type="str" nocase="1" uricont="1">/auktion.cgi</Token> <Token id="content" type="str" nocase="1">menue=../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cal_make.pl directory traversal attempt" sid="6816"> <Token id="content" type="str" nocase="1" uricont="1">/cal_make.pl</Token> <Token id="content" type="str" nocase="1">p0=../../</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI echo.bat arbitrary command execution attempt" sid="6820"> <Token id="content" type="str" uricont="1">/echo.bat</Token> <Token id="content" type="str">&</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI echo.bat access" sid="6824"> <Token id="content" type="str" uricont="1">/echo.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI hello.bat arbitrary command execution attempt" sid="6828"> <Token id="content" type="str" uricont="1">/hello.bat</Token> <Token id="content" type="str">&</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI hello.bat access" sid="6832"> <Token id="content" type="str" uricont="1">/hello.bat</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI ad.cgi access" sid="6836"> <Token id="content" type="str" nocase="1" uricont="1">/ad.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bbs_forum.cgi access" sid="6840"> <Token id="content" type="str" nocase="1" uricont="1">/bbs_forum.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bsguest.cgi access" sid="6844"> <Token id="content" type="str" nocase="1" uricont="1">/bsguest.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI bslist.cgi access" sid="6848"> <Token id="content" type="str" nocase="1" uricont="1">/bslist.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI cgforum.cgi access" sid="6852"> <Token id="content" type="str" nocase="1" uricont="1">/cgforum.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI newdesk access" sid="6856"> <Token id="content" type="str" nocase="1" uricont="1">/newdesk</Token> </Rule> <Rule al="Monitor" ar="Allow" dir="in" prot="tcp" locaddr_id="http_servers" remaddr_id="external_net" locport="80" remport="*" name="WEB-CGI register.cgi access" sid="6860"> <Token id="content" type="str" nocase="1" uricont="1">/register.cgi</Token> </Rule> <Rule al="Monitor" ar="Allow" d