Bro signatures parse error?
Robin Sommer
robin at icir.org
Mon Sep 15 16:30:36 PDT 2003
On Sat, Sep 13, 2003 at 16:22 +0800, wangliejun wrote:
> [root@ /root/source/bro-pub-0.8a34]> ./bro -F -i lnc0 -s sig.ex.web-rules.bro -S mt
> Error in signature (sig.ex.web-rules.bro:8): parse error
> [root@ /root/source/bro-pub-0.8a34]> ./bro -F -i lnc0 -s sig.ex.ssl-worm.bro -S mt
> Error in signature (sig.ex.ssl-worm.bro:10): parse error
Some of the keywords have been renamed in newer versions, and I
forgot to adapt the examples. The attacked patch should fix
the problems (note that for sig.ex.ssl-worm.bro you need to load
policy/ssl-worm.bro, too).
Robin
--
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Munich * Phone (089) 289-18006 * sommer at in.tum.de
-------------- next part --------------
diff -u bro-pub-0.8a34/sig.ex.ssl-worm.bro bro-patched/sig.ex.ssl-worm.bro
--- bro-pub-0.8a34/sig.ex.ssl-worm.bro Thu Jan 16 01:24:57 2003
+++ bro-patched/sig.ex.ssl-worm.bro Tue Sep 16 01:27:40 2003
@@ -7,7 +7,7 @@
}
signature sslworm-vulnerable-probe {
- requires-rule sslworm-probe
+ requires-signature sslworm-probe
eval sslworm_is_server_vulnerable
event "Host may have been probed by Apache/SSL worm and is vulnerable"
}
diff -u bro-pub-0.8a34/sig.ex.web-rules.bro bro-patched/sig.ex.web-rules.bro
--- bro-pub-0.8a34/sig.ex.web-rules.bro Thu Jan 16 01:24:58 2003
+++ bro-patched/sig.ex.web-rules.bro Tue Sep 16 01:27:41 2003
@@ -5,7 +5,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/
- msg "WEB-ATTACKS ps command attempt"
+ event "WEB-ATTACKS ps command attempt"
}
signature sid-1329 {
@@ -15,7 +15,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[pP][sS]%20/
- msg "WEB-ATTACKS /bin/ps command attempt"
+ event "WEB-ATTACKS /bin/ps command attempt"
}
signature sid-1330 {
@@ -24,7 +24,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS wget command attempt"
+ event "WEB-ATTACKS wget command attempt"
payload /.*[wW][gG][eE][tT]%20/
}
@@ -34,7 +34,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS uname -a command attempt"
+ event "WEB-ATTACKS uname -a command attempt"
payload /.*[uU][nN][aA][mM][eE]%20-[aA]/
}
@@ -44,7 +44,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /usr/bin/id command attempt"
+ event "WEB-ATTACKS /usr/bin/id command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[iI][dD]/
}
@@ -54,7 +54,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS id command attempt"
+ event "WEB-ATTACKS id command attempt"
payload /.*;[iI][dD]/
}
@@ -64,7 +64,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS echo command attempt"
+ event "WEB-ATTACKS echo command attempt"
payload /.*\/[bB][iI][nN]\/[eE][cC][hH][oO]/
}
@@ -74,7 +74,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS kill command attempt"
+ event "WEB-ATTACKS kill command attempt"
payload /.*\/[bB][iI][nN]\/[kK][iI][lL][lL]/
}
@@ -84,7 +84,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS chmod command attempt"
+ event "WEB-ATTACKS chmod command attempt"
payload /.*\/[bB][iI][nN]\/[cC][hH][mM][oO][dD]/
}
@@ -94,7 +94,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS chgrp command attempt"
+ event "WEB-ATTACKS chgrp command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][gG][rR][pP]/
}
@@ -104,7 +104,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS chown command attempt"
+ event "WEB-ATTACKS chown command attempt"
payload /.*\/[uU][sS][rR]\/[sS][bB][iI][nN]\/[cC][hH][oO][wW][nN]/
}
@@ -114,7 +114,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS chsh command attempt"
+ event "WEB-ATTACKS chsh command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][hH][sS][hH]/
}
@@ -124,7 +124,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS tftp command attempt"
+ event "WEB-ATTACKS tftp command attempt"
payload /.*[tT][fF][tT][pP]%20/
}
@@ -134,7 +134,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /usr/bin/gcc command attempt"
+ event "WEB-ATTACKS /usr/bin/gcc command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG][cC][cC]/
}
@@ -144,7 +144,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS gcc command attempt"
+ event "WEB-ATTACKS gcc command attempt"
payload /.*[gG][cC][cC]%20-[oO]/
}
@@ -154,7 +154,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /usr/bin/cc command attempt"
+ event "WEB-ATTACKS /usr/bin/cc command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][cC]/
}
@@ -164,7 +164,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS cc command attempt"
+ event "WEB-ATTACKS cc command attempt"
payload /.*[cC][cC]%20/
}
@@ -174,7 +174,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /usr/bin/cpp command attempt"
+ event "WEB-ATTACKS /usr/bin/cpp command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[cC][pP][pP]/
}
@@ -184,7 +184,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS cpp command attempt"
+ event "WEB-ATTACKS cpp command attempt"
payload /.*[cC][pP][pP]%20/
}
@@ -194,7 +194,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /usr/bin/g++ command attempt"
+ event "WEB-ATTACKS /usr/bin/g++ command attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[gG]\+\+/
}
@@ -204,7 +204,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS g++ command attempt"
+ event "WEB-ATTACKS g++ command attempt"
payload /.*[gG]\+\+%20/
}
@@ -214,7 +214,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS bin/python access attempt"
+ event "WEB-ATTACKS bin/python access attempt"
payload /.*[bB][iI][nN]\/[pP][yY][tT][hH][oO][nN]/
}
@@ -224,7 +224,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS python access attempt"
+ event "WEB-ATTACKS python access attempt"
payload /.*[pP][yY][tT][hH][oO][nN]%20/
}
@@ -234,7 +234,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS bin/tclsh execution attempt"
+ event "WEB-ATTACKS bin/tclsh execution attempt"
payload /.*[bB][iI][nN]\/[tT][cC][lL][sS][hH]/
}
@@ -244,7 +244,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS tclsh execution attempt"
+ event "WEB-ATTACKS tclsh execution attempt"
payload /.*[tT][cC][lL][sS][hH]8%20/
}
@@ -254,7 +254,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS bin/nasm command attempt"
+ event "WEB-ATTACKS bin/nasm command attempt"
payload /.*[bB][iI][nN]\/[nN][aA][sS][mM]/
}
@@ -264,7 +264,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS nasm command attempt"
+ event "WEB-ATTACKS nasm command attempt"
payload /.*[nN][aA][sS][mM]%20/
}
@@ -274,7 +274,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /usr/bin/perl execution attempt"
+ event "WEB-ATTACKS /usr/bin/perl execution attempt"
payload /.*\/[uU][sS][rR]\/[bB][iI][nN]\/[pP][eE][rR][lL]/
}
@@ -284,7 +284,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS perl execution attempt"
+ event "WEB-ATTACKS perl execution attempt"
payload /.*[pP][eE][rR][lL]%20/
}
@@ -294,7 +294,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS nt admin addition attempt"
+ event "WEB-ATTACKS nt admin addition attempt"
payload /.*[nN][eE][tT] [lL][oO][cC][aA][lL][gG][rR][oO][uU][pP] [aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS] \/[aA][dD][dD]/
}
@@ -304,7 +304,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS traceroute command attempt"
+ event "WEB-ATTACKS traceroute command attempt"
payload /.*[tT][rR][aA][cC][eE][rR][oO][uU][tT][eE]%20/
}
@@ -314,7 +314,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS ping command attempt"
+ event "WEB-ATTACKS ping command attempt"
payload /.*\/[bB][iI][nN]\/[pP][iI][nN][gG]/
}
@@ -324,7 +324,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS netcat command attempt"
+ event "WEB-ATTACKS netcat command attempt"
payload /.*[nN][cC]%20/
}
@@ -334,7 +334,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS nmap command attempt"
+ event "WEB-ATTACKS nmap command attempt"
payload /.*[nN][mM][aA][pP]%20/
}
@@ -344,7 +344,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS xterm command attempt"
+ event "WEB-ATTACKS xterm command attempt"
payload /.*\/[uU][sS][rR]\/[xX]11[rR]6\/[bB][iI][nN]\/[xX][tT][eE][rR][mM]/
}
@@ -354,7 +354,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS X application to remote host attempt"
+ event "WEB-ATTACKS X application to remote host attempt"
payload /.*%20-[dD][iI][sS][pP][lL][aA][yY]%20/
}
@@ -364,7 +364,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS lsof command attempt"
+ event "WEB-ATTACKS lsof command attempt"
payload /.*[lL][sS][oO][fF]%20/
}
@@ -374,7 +374,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS rm command attempt"
+ event "WEB-ATTACKS rm command attempt"
payload /.*[rR][mM]%20/
}
@@ -384,7 +384,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS mail command attempt"
+ event "WEB-ATTACKS mail command attempt"
payload /.*\/[bB][iI][nN]\/[mM][aA][iI][lL]/
}
@@ -394,7 +394,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS mail command attempt"
+ event "WEB-ATTACKS mail command attempt"
payload /.*[mM][aA][iI][lL]%20/
}
@@ -405,7 +405,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][nN][\/\\][lL][sS]\|/
- msg "WEB-ATTACKS /bin/ls| command attempt"
+ event "WEB-ATTACKS /bin/ls| command attempt"
}
signature sid-1369 {
@@ -415,7 +415,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][nN][\/\\][lL][sS]/
- msg "WEB-ATTACKS /bin/ls command attempt"
+ event "WEB-ATTACKS /bin/ls command attempt"
}
signature sid-1370 {
@@ -424,7 +424,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /etc/inetd.conf access"
+ event "WEB-ATTACKS /etc/inetd.conf access"
payload /.*\/[eE][tT][cC]\/[iI][nN][eE][tT][dD]\.[cC][oO][nN][fF]/
}
@@ -434,7 +434,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /etc/motd access"
+ event "WEB-ATTACKS /etc/motd access"
payload /.*\/[eE][tT][cC]\/[mM][oO][tT][dD]/
}
@@ -444,7 +444,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS /etc/shadow access"
+ event "WEB-ATTACKS /etc/shadow access"
payload /.*\/[eE][tT][cC]\/[sS][hH][aA][dD][oO][wW]/
}
@@ -454,7 +454,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-ATTACKS conf/httpd.conf attempt"
+ event "WEB-ATTACKS conf/httpd.conf attempt"
payload /.*[cC][oO][nN][fF]\/[hH][tT][tT][pP][dD]\.[cC][oO][nN][fF]/
}
@@ -465,7 +465,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[hH][tT][gG][rR][oO][uU][pP]/
- msg "WEB-ATTACKS .htgroup access"
+ event "WEB-ATTACKS .htgroup access"
}
signature sid-803 {
@@ -475,7 +475,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]hsx\.cgi/
- msg "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
+ event "WEB-CGI HyperSeek hsx.cgi directory traversal attempt"
payload /.*\.\.\/\.\.\//
payload /.*%00/
}
@@ -487,7 +487,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]hsx\.cgi/
- msg "WEB-CGI HyperSeek hsx.cgi access"
+ event "WEB-CGI HyperSeek hsx.cgi access"
}
signature sid-805 {
@@ -497,7 +497,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][sS][iI][sS][aA]\.[dD][lL][lL][\/\\][wW][sS][eE][rR][vV][iI][cC][eE]=/
- msg "WEB-CGI webspeed access"
+ event "WEB-CGI webspeed access"
payload /.*[wW][sS][mM][aA][dD][mM][iI][nN]/
}
@@ -508,7 +508,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][yY][aA][bB][bB]\.[pP][lL]/
- msg "WEB-CGI yabb.cgi directory traversal attempt"
+ event "WEB-CGI yabb.cgi directory traversal attempt"
payload /.*\.\.\//
}
@@ -519,7 +519,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][yY][aA][bB][bB]\.[pP][lL]/
- msg "WEB-CGI yabb.cgi access"
+ event "WEB-CGI yabb.cgi access"
}
signature sid-807 {
@@ -529,7 +529,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][wW][wW][bB][oO][aA][rR][dD][\/\\][pP][aA][sS][sS][wW][dD]\.[tT][xX][tT]/
- msg "WEB-CGI wwwboard passwd access"
+ event "WEB-CGI wwwboard passwd access"
}
signature sid-808 {
@@ -539,7 +539,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][dD][rR][iI][vV][eE][rR]/
- msg "WEB-CGI webdriver access"
+ event "WEB-CGI webdriver access"
}
signature sid-809 {
@@ -549,7 +549,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]whois_raw\.cgi\?/
- msg "WEB-CGI whois_raw attempt"
+ event "WEB-CGI whois_raw attempt"
payload /.*\x0a/
}
@@ -560,7 +560,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]whois_raw\.cgi/
- msg "WEB-CGI whois_raw access"
+ event "WEB-CGI whois_raw access"
}
signature sid-811 {
@@ -569,7 +569,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-CGI websitepro path access"
+ event "WEB-CGI websitepro path access"
payload /.* \/[hH][tT][tT][pP]\/1\./
}
@@ -580,7 +580,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][pP][lL][uU][sS]\?[aA][bB][oO][uU][tT]/
- msg "WEB-CGI webplus version access"
+ event "WEB-CGI webplus version access"
}
signature sid-813 {
@@ -590,7 +590,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][pP][lL][uU][sS]\?[sS][cC][rR][iI][pP][tT]/
- msg "WEB-CGI webplus directory traversal"
+ event "WEB-CGI webplus directory traversal"
payload /.*\.\.\//
}
@@ -601,7 +601,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][sS][eE][nN][dD][mM][aA][iI][lL]/
- msg "WEB-CGI websendmail access"
+ event "WEB-CGI websendmail access"
}
signature sid-1571 {
@@ -611,7 +611,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]dcforum\.cgi/
- msg "WEB-CGI dcforum.cgi directory traversal attempt"
+ event "WEB-CGI dcforum.cgi directory traversal attempt"
payload /.*forum=\.\.\/\.\./
}
@@ -622,7 +622,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]dcforum\.cgi/
- msg "WEB-CGI dcforum.cgi access"
+ event "WEB-CGI dcforum.cgi access"
}
signature sid-817 {
@@ -632,7 +632,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]dcboard\.cgi/
- msg "WEB-CGI dcboard.cgi invalid user addition attempt"
+ event "WEB-CGI dcboard.cgi invalid user addition attempt"
payload /.*command=register/
payload /.*%7cadmin/
}
@@ -644,7 +644,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]dcboard\.cgi/
- msg "WEB-CGI dcboard.cgi access"
+ event "WEB-CGI dcboard.cgi access"
}
signature sid-819 {
@@ -654,7 +654,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][mM][sS][tT][dD][oO][dD]\.[cC][gG][iI]/
- msg "WEB-CGI mmstdod.cgi access"
+ event "WEB-CGI mmstdod.cgi access"
}
signature sid-820 {
@@ -664,7 +664,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][pP][eE][xX][eE][cC]\.[pP][lL]/
- msg "WEB-CGI anaconda directory transversal attempt"
+ event "WEB-CGI anaconda directory transversal attempt"
payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=\.\.\//
}
@@ -675,7 +675,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][mM][aA][gG][eE][mM][aA][pP]\.[eE][xX][eE]/
- msg "WEB-CGI imagemap.exe access"
+ event "WEB-CGI imagemap.exe access"
}
signature sid-823 {
@@ -685,7 +685,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][vV][sS][wW][eE][bB]\.[cC][gG][iI]/
- msg "WEB-CGI cvsweb.cgi access"
+ event "WEB-CGI cvsweb.cgi access"
}
signature sid-824 {
@@ -695,7 +695,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][hH][pP]\.[cC][gG][iI]/
- msg "WEB-CGI php.cgi access"
+ event "WEB-CGI php.cgi access"
}
signature sid-825 {
@@ -705,7 +705,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][gG][lL][iI][mM][pP][sS][eE]/
- msg "WEB-CGI glimpse access"
+ event "WEB-CGI glimpse access"
}
signature sid-1608 {
@@ -715,7 +715,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][tT][mM][lL][sS][cC][rR][iI][pP][tT]\?\.\.[\/\\]\.\./
- msg "WEB-CGI htmlscript attempt"
+ event "WEB-CGI htmlscript attempt"
}
signature sid-826 {
@@ -725,7 +725,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][tT][mM][lL][sS][cC][rR][iI][pP][tT]/
- msg "WEB-CGI htmlscript access"
+ event "WEB-CGI htmlscript access"
}
signature sid-827 {
@@ -735,7 +735,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][nN][fF][oO]2[wW][wW][wW]/
- msg "WEB-CGI info2www access"
+ event "WEB-CGI info2www access"
}
signature sid-828 {
@@ -745,7 +745,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][iI][lL][lL][iI][sS][tT]\.[pP][lL]/
- msg "WEB-CGI maillist.pl access"
+ event "WEB-CGI maillist.pl access"
}
signature sid-829 {
@@ -755,7 +755,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][pP][hH]-[tT][eE][sS][tT]-[cC][gG][iI]/
- msg "WEB-CGI nph-test-cgi access"
+ event "WEB-CGI nph-test-cgi access"
}
signature sid-1451 {
@@ -765,7 +765,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][pP][hH]-[mM][aA][iI][lL][lL][iI][sS][tT]\.[pP][lL]/
- msg "WEB-CGI NPH-publish access"
+ event "WEB-CGI NPH-publish access"
}
signature sid-830 {
@@ -775,7 +775,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][pP][hH]-[pP][uU][bB][lL][iI][sS][hH]/
- msg "WEB-CGI NPH-publish access"
+ event "WEB-CGI NPH-publish access"
}
signature sid-833 {
@@ -785,7 +785,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][gG][uU][eE][sS][tT]\.[eE][xX][eE]/
- msg "WEB-CGI rguest.exe access"
+ event "WEB-CGI rguest.exe access"
}
signature sid-834 {
@@ -795,7 +795,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][wW][wW][wW][sS][hH][eE][lL][lL]\.[pP][lL]/
- msg "WEB-CGI rwwwshell.pl access"
+ event "WEB-CGI rwwwshell.pl access"
}
signature sid-1644 {
@@ -805,7 +805,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][sS][tT]-[cC][gG][iI][\/\\]\*\?\*/
- msg "WEB-CGI test-cgi attempt"
+ event "WEB-CGI test-cgi attempt"
}
signature sid-835 {
@@ -815,7 +815,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][sS][tT]-[cC][gG][iI]/
- msg "WEB-CGI test-cgi access"
+ event "WEB-CGI test-cgi access"
}
signature sid-1645 {
@@ -825,7 +825,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][sS][tT][cC][gG][iI]/
- msg "WEB-CGI testcgi access"
+ event "WEB-CGI testcgi access"
}
signature sid-1646 {
@@ -835,7 +835,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][sS][tT]\.[cC][gG][iI]/
- msg "WEB-CGI test.cgi access"
+ event "WEB-CGI test.cgi access"
}
signature sid-836 {
@@ -845,7 +845,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][xX][tT][cC][oO][uU][nN][tT][eE][rR]\.[pP][lL]/
- msg "WEB-CGI textcounter.pl access"
+ event "WEB-CGI textcounter.pl access"
}
signature sid-837 {
@@ -855,7 +855,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][pP][lL][oO][aA][dD][eE][rR]\.[eE][xX][eE]/
- msg "WEB-CGI uploader.exe access"
+ event "WEB-CGI uploader.exe access"
}
signature sid-838 {
@@ -865,7 +865,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][gG][aA][iI][sS]/
- msg "WEB-CGI webgais access"
+ event "WEB-CGI webgais access"
}
signature sid-839 {
@@ -875,7 +875,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][iI][nN][gG][eE][rR]/
- msg "WEB-CGI finger access"
+ event "WEB-CGI finger access"
}
signature sid-840 {
@@ -885,7 +885,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][eE][rR][lL][sS][hH][oO][pP]\.[cC][gG][iI]/
- msg "WEB-CGI perlshop.cgi access"
+ event "WEB-CGI perlshop.cgi access"
}
signature sid-841 {
@@ -895,7 +895,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][fF][dD][iI][sS][pP][lL][aA][yY]\.[cC][gG][iI]/
- msg "WEB-CGI pfdisplay.cgi access"
+ event "WEB-CGI pfdisplay.cgi access"
}
signature sid-842 {
@@ -905,7 +905,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][gG][lL][iI][mM][pP][sS][eE]/
- msg "WEB-CGI aglimpse access"
+ event "WEB-CGI aglimpse access"
}
signature sid-843 {
@@ -915,7 +915,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][nN][fF][oO][rR][mM]2/
- msg "WEB-CGI anform2 access"
+ event "WEB-CGI anform2 access"
}
signature sid-844 {
@@ -925,7 +925,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][rR][gG][sS]\.[bB][aA][tT]/
- msg "WEB-CGI args.bat access"
+ event "WEB-CGI args.bat access"
}
signature sid-1452 {
@@ -935,7 +935,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][rR][gG][sS]\.[cC][mM][dD]/
- msg "WEB-CGI args.cmd access"
+ event "WEB-CGI args.cmd access"
}
signature sid-845 {
@@ -945,7 +945,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][tT]-[aA][dD][mM][iI][nN]\.[cC][gG][iI]/
- msg "WEB-CGI AT-admin.cgi access"
+ event "WEB-CGI AT-admin.cgi access"
}
signature sid-1453 {
@@ -955,7 +955,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][tT]-[gG][eE][nN][eE][rR][aA][tT][eE][dD]\.[cC][gG][iI]/
- msg "WEB-CGI AT-generated.cgi access"
+ event "WEB-CGI AT-generated.cgi access"
}
signature sid-846 {
@@ -965,7 +965,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][nN][bB][fF][oO][rR][mM]\.[cC][gG][iI]/
- msg "WEB-CGI bnbform.cgi access"
+ event "WEB-CGI bnbform.cgi access"
}
signature sid-847 {
@@ -975,7 +975,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][mM][pP][aA][sS]/
- msg "WEB-CGI campas access"
+ event "WEB-CGI campas access"
}
signature sid-848 {
@@ -985,7 +985,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][vV][iI][eE][wW]-[sS][oO][uU][rR][cC][eE]/
- msg "WEB-CGI view-source directory traversal"
+ event "WEB-CGI view-source directory traversal"
payload /.*\.\.\//
}
@@ -996,7 +996,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][vV][iI][eE][wW]-[sS][oO][uU][rR][cC][eE]/
- msg "WEB-CGI view-source access"
+ event "WEB-CGI view-source access"
}
signature sid-850 {
@@ -1006,7 +1006,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][aA][iI][sS]\.[pP][lL]/
- msg "WEB-CGI wais.pl access"
+ event "WEB-CGI wais.pl access"
}
signature sid-1454 {
@@ -1016,7 +1016,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][wW][wW][wW][aA][iI][sS]/
- msg "WEB-CGI wwwwais access"
+ event "WEB-CGI wwwwais access"
}
signature sid-851 {
@@ -1026,7 +1026,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][iI][lL][eE][sS]\.[pP][lL]/
- msg "WEB-CGI files.pl access"
+ event "WEB-CGI files.pl access"
}
signature sid-852 {
@@ -1036,7 +1036,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][gG][uU][eE][sS][tT]\.[eE][xX][eE]/
- msg "WEB-CGI wguest.exe access"
+ event "WEB-CGI wguest.exe access"
}
signature sid-853 {
@@ -1046,7 +1046,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]wrap/
- msg "WEB-CGI wrap access"
+ event "WEB-CGI wrap access"
}
signature sid-854 {
@@ -1056,7 +1056,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][lL][aA][sS][sS][iI][fF][iI][eE][dD][sS]\.[cC][gG][iI]/
- msg "WEB-CGI classifieds.cgi access"
+ event "WEB-CGI classifieds.cgi access"
}
signature sid-856 {
@@ -1066,7 +1066,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][nN][vV][iI][rR][oO][nN]\.[cC][gG][iI]/
- msg "WEB-CGI environ.cgi access"
+ event "WEB-CGI environ.cgi access"
}
signature sid-1647 {
@@ -1076,7 +1076,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][aA][xX][sS][uU][rR][vV][eE][yY]\?[\/\\]/
- msg "WEB-CGI faxsurvey attempt (full path)"
+ event "WEB-CGI faxsurvey attempt (full path)"
}
signature sid-1609 {
@@ -1086,7 +1086,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][aA][xX][sS][uU][rR][vV][eE][yY]\?[cC][aA][tT]%20/
- msg "WEB-CGI faxsurvey attempt"
+ event "WEB-CGI faxsurvey attempt"
}
signature sid-857 {
@@ -1096,7 +1096,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][aA][xX][sS][uU][rR][vV][eE][yY]/
- msg "WEB-CGI faxsurvey access"
+ event "WEB-CGI faxsurvey access"
}
signature sid-858 {
@@ -1106,7 +1106,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][iI][lL][eE][mM][aA][iI][lL]\.[pP][lL]/
- msg "WEB-CGI filemail access"
+ event "WEB-CGI filemail access"
}
signature sid-859 {
@@ -1116,7 +1116,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][nN]\.[sS][hH]/
- msg "WEB-CGI man.sh access"
+ event "WEB-CGI man.sh access"
}
signature sid-860 {
@@ -1126,7 +1126,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][nN][oO][rR][kK]\.[bB][aA][tT]/
- msg "WEB-CGI snork.bat access"
+ event "WEB-CGI snork.bat access"
}
signature sid-861 {
@@ -1136,7 +1136,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW]3-[mM][sS][qQ][lL][\/\\]/
- msg "WEB-CGI w3-msql access"
+ event "WEB-CGI w3-msql access"
}
signature sid-863 {
@@ -1146,7 +1146,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][aA][yY]5[dD][aA][tT][aA][cC][oO][pP][iI][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI day5datacopier.cgi access"
+ event "WEB-CGI day5datacopier.cgi access"
}
signature sid-864 {
@@ -1156,7 +1156,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][aA][yY]5[dD][aA][tT][aA][nN][oO][tT][iI][fF][iI][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI day5datanotifier.cgi access"
+ event "WEB-CGI day5datanotifier.cgi access"
}
signature sid-866 {
@@ -1166,7 +1166,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][oO][sS][tT]-[qQ][uU][eE][rR][yY]/
- msg "WEB-CGI post-query access"
+ event "WEB-CGI post-query access"
}
signature sid-867 {
@@ -1176,7 +1176,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][vV][iI][sS][aA][dD][mM][iI][nN]\.[eE][xX][eE]/
- msg "WEB-CGI visadmin.exe access"
+ event "WEB-CGI visadmin.exe access"
}
signature sid-869 {
@@ -1186,7 +1186,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][uU][mM][pP][eE][nN][vV]\.[pP][lL]/
- msg "WEB-CGI dumpenv.pl access"
+ event "WEB-CGI dumpenv.pl access"
}
signature sid-1536 {
@@ -1196,7 +1196,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]calendar_admin\.pl\?config=\|/
- msg "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
+ event "WEB-CGI calendar_admin.pl arbitrary command execution attempt"
}
signature sid-1537 {
@@ -1206,7 +1206,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]calendar_admin\.pl/
- msg "WEB-CGI calendar_admin.pl access"
+ event "WEB-CGI calendar_admin.pl access"
}
signature sid-1701 {
@@ -1216,7 +1216,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][lL][eE][nN][dD][aA][rR]-[aA][dD][mM][iI][nN]\.[pP][lL]/
- msg "WEB-CGI calendar-admin.pl access"
+ event "WEB-CGI calendar-admin.pl access"
}
signature sid-1455 {
@@ -1226,7 +1226,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][lL][eE][nN][dD][eE][rR]\.[pP][lL]/
- msg "WEB-CGI calender.pl access"
+ event "WEB-CGI calender.pl access"
}
signature sid-882 {
@@ -1236,7 +1236,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][lL][eE][nN][dD][aA][rR]/
- msg "WEB-CGI calendar access"
+ event "WEB-CGI calendar access"
}
signature sid-1457 {
@@ -1246,7 +1246,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][sS][eE][rR]_[uU][pP][dD][aA][tT][eE]_[aA][dD][mM][iI][nN]\.[pP][lL]/
- msg "WEB-CGI user_update_admin.pl access"
+ event "WEB-CGI user_update_admin.pl access"
}
signature sid-1458 {
@@ -1256,7 +1256,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][sS][eE][rR]_[uU][pP][dD][aA][tT][eE]_[pP][aA][sS][sS][wW][dD]\.[pP][lL]/
- msg "WEB-CGI user_update_passwd.pl access"
+ event "WEB-CGI user_update_passwd.pl access"
}
signature sid-870 {
@@ -1266,7 +1266,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][nN][oO][rR][kK][eE][rR][zZ]\.[cC][mM][dD]/
- msg "WEB-CGI snorkerz.cmd access"
+ event "WEB-CGI snorkerz.cmd access"
}
signature sid-871 {
@@ -1276,7 +1276,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][uU][rR][vV][eE][yY]\.[cC][gG][iI]/
- msg "WEB-CGI survey.cgi access"
+ event "WEB-CGI survey.cgi access"
}
signature sid-873 {
@@ -1286,7 +1286,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][\/\\][\/\\]/
- msg "WEB-CGI scriptalias access"
+ event "WEB-CGI scriptalias access"
}
signature sid-874 {
@@ -1296,7 +1296,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][nN][\/\\][sS][hH][aA]-[cC][aA][\/\\][uU][sS][rR][\/\\][oO][pP][eE][nN][wW][iI][nN]/
- msg "WEB-CGI w3-msql solaris x86 access"
+ event "WEB-CGI w3-msql solaris x86 access"
}
signature sid-875 {
@@ -1306,7 +1306,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][iI][nN]-[cC]-[sS][aA][mM][pP][lL][eE]\.[eE][xX][eE]/
- msg "WEB-CGI win-c-sample.exe access"
+ event "WEB-CGI win-c-sample.exe access"
}
signature sid-878 {
@@ -1316,7 +1316,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW]3[tT][vV][aA][rR][sS]\.[pP][mM]/
- msg "WEB-CGI w3tvars.pm access"
+ event "WEB-CGI w3tvars.pm access"
}
signature sid-879 {
@@ -1326,7 +1326,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]\.[pP][lL]/
- msg "WEB-CGI admin.pl access"
+ event "WEB-CGI admin.pl access"
}
signature sid-880 {
@@ -1336,7 +1336,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][lL][wW][gG][aA][tT][eE]/
- msg "WEB-CGI LWGate access"
+ event "WEB-CGI LWGate access"
}
signature sid-881 {
@@ -1346,7 +1346,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][rR][cC][hH][iI][eE]/
- msg "WEB-CGI archie access"
+ event "WEB-CGI archie access"
}
signature sid-883 {
@@ -1356,7 +1356,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][lL][eE][xX][fF][oO][rR][mM]/
- msg "WEB-CGI flexform access"
+ event "WEB-CGI flexform access"
}
signature sid-1610 {
@@ -1366,7 +1366,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM][mM][aA][iI][lL]/
- msg "WEB-CGI formmail attempt"
+ event "WEB-CGI formmail attempt"
payload /.*%0[aA]/
}
@@ -1377,7 +1377,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM][mM][aA][iI][lL]/
- msg "WEB-CGI formmail access"
+ event "WEB-CGI formmail access"
}
signature sid-886 {
@@ -1387,7 +1387,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][hH][fF]/
- msg "WEB-CGI phf access"
+ event "WEB-CGI phf access"
}
signature sid-887 {
@@ -1397,7 +1397,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][wW][wW]-[sS][qQ][lL]/
- msg "WEB-CGI www-sql access"
+ event "WEB-CGI www-sql access"
}
signature sid-888 {
@@ -1407,7 +1407,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][wW][wW][aA][dD][mM][iI][nN]\.[pP][lL]/
- msg "WEB-CGI wwwadmin.pl access"
+ event "WEB-CGI wwwadmin.pl access"
}
signature sid-889 {
@@ -1417,7 +1417,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][pP][dD][sS][cC][gG][iI]\.[eE][xX][eE]/
- msg "WEB-CGI ppdscgi.exe access"
+ event "WEB-CGI ppdscgi.exe access"
}
signature sid-890 {
@@ -1427,7 +1427,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][nN][dD][fF][oO][rR][mM]\.[cC][gG][iI]/
- msg "WEB-CGI sendform.cgi access"
+ event "WEB-CGI sendform.cgi access"
}
signature sid-891 {
@@ -1437,7 +1437,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][pP][lL][oO][aA][dD]\.[pP][lL]/
- msg "WEB-CGI upload.pl access"
+ event "WEB-CGI upload.pl access"
}
signature sid-892 {
@@ -1447,7 +1447,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][nN][yY][fF][oO][rR][mM]2/
- msg "WEB-CGI AnyForm2 access"
+ event "WEB-CGI AnyForm2 access"
}
signature sid-893 {
@@ -1457,7 +1457,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][cC][hH][iI][nN][eE][iI][nN][fF][oO]/
- msg "WEB-CGI MachineInfo access"
+ event "WEB-CGI MachineInfo access"
}
signature sid-1531 {
@@ -1467,7 +1467,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][iI][sS][tT]\.[sS][hH]\?[hH][iI][sS][tT][fF][iI][lL][eE]=\.\.[\/\\]\.\./
- msg "WEB-CGI bb-hist.sh attempt"
+ event "WEB-CGI bb-hist.sh attempt"
}
signature sid-894 {
@@ -1477,7 +1477,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][iI][sS][tT]\.[sS][hH]/
- msg "WEB-CGI bb-hist.sh access"
+ event "WEB-CGI bb-hist.sh access"
}
signature sid-1459 {
@@ -1487,7 +1487,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][iI][sS][tT][lL][oO][gG]\.[sS][hH]/
- msg "WEB-CGI bb-histlog.sh access"
+ event "WEB-CGI bb-histlog.sh access"
}
signature sid-1460 {
@@ -1497,7 +1497,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][iI][sS][tT][sS][vV][cC]\.[sS][hH]/
- msg "WEB-CGI bb-histsvc.sh access"
+ event "WEB-CGI bb-histsvc.sh access"
}
signature sid-1532 {
@@ -1507,7 +1507,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][oO][sS][tT][sS][vV][cC]\.[sS][hH]\?[hH][oO][sS][tT][sS][vV][cC]\?\.\.[\/\\]\.\./
- msg "WEB-CGI bb-hostscv.sh attempt"
+ event "WEB-CGI bb-hostscv.sh attempt"
}
signature sid-1533 {
@@ -1517,7 +1517,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][oO][sS][tT][sS][vV][cC]\.[sS][hH]/
- msg "WEB-CGI bb-hostscv.sh access"
+ event "WEB-CGI bb-hostscv.sh access"
}
signature sid-1461 {
@@ -1527,7 +1527,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[rR][eE][pP]\.[sS][hH]/
- msg "WEB-CGI bb-rep.sh access"
+ event "WEB-CGI bb-rep.sh access"
}
signature sid-1462 {
@@ -1537,7 +1537,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[rR][eE][pP][lL][oO][gG]\.[sS][hH]/
- msg "WEB-CGI bb-replog.sh access"
+ event "WEB-CGI bb-replog.sh access"
}
signature sid-895 {
@@ -1547,7 +1547,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][eE][dD][iI][rR][eE][cC][tT]/
- msg "WEB-CGI redirect access"
+ event "WEB-CGI redirect access"
}
signature sid-1397 {
@@ -1557,7 +1557,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][aA][yY]-[bB][oO][aA][rR][dD][\/\\][wW][aA][yY]-[bB][oO][aA][rR][dD]\.[cC][gG][iI]/
- msg "WEB-CGI wayboard attempt"
+ event "WEB-CGI wayboard attempt"
payload /.*[dD][bB]=/
payload /.*\.\.\/\.\./
}
@@ -1569,7 +1569,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][aA][yY]-[bB][oO][aA][rR][dD]/
- msg "WEB-CGI wayboard access"
+ event "WEB-CGI wayboard access"
}
signature sid-1222 {
@@ -1579,7 +1579,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][aA][lL][sS]-[cC][gG][iI]/
- msg "WEB-CGI pals-cgi arbitrary file read attempt"
+ event "WEB-CGI pals-cgi arbitrary file read attempt"
payload /.*[dD][oO][cC][uU][mM][eE][nN][tT][nN][aA][mM][eE]=/
}
@@ -1590,7 +1590,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][aA][lL][sS]-[cC][gG][iI]/
- msg "WEB-CGI pals-cgi access"
+ event "WEB-CGI pals-cgi access"
}
signature sid-1572 {
@@ -1600,7 +1600,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][mM][mM][eE][rR][cC][eE]\.[cC][gG][iI]\?[pP][aA][gG][eE]=\.\.[\/\\]\.\./
- msg "WEB-CGI commerce.cgi attempt"
+ event "WEB-CGI commerce.cgi attempt"
}
signature sid-898 {
@@ -1610,7 +1610,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][mM][mM][eE][rR][cC][eE]\.[cC][gG][iI]/
- msg "WEB-CGI commerce.cgi access"
+ event "WEB-CGI commerce.cgi access"
}
signature sid-899 {
@@ -1620,7 +1620,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][nN][dD][tT][eE][mM][pP]\.[pP][lL]/
- msg "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
+ event "WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"
payload /.*[tT][eE][mM][pP][lL]=/
}
@@ -1631,7 +1631,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][nN][dD][tT][eE][mM][pP]\.[pP][lL]/
- msg "WEB-CGI Amaya templates sendtemp.pl access"
+ event "WEB-CGI Amaya templates sendtemp.pl access"
}
signature sid-900 {
@@ -1641,7 +1641,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][sS][pP][iI][rR][sS]\.[cC][gG][iI]/
- msg "WEB-CGI webspirs directory traversal attempt"
+ event "WEB-CGI webspirs directory traversal attempt"
payload /.*\.\.\/\.\.\//
}
@@ -1652,7 +1652,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][sS][pP][iI][rR][sS]\.[cC][gG][iI]/
- msg "WEB-CGI webspirs access"
+ event "WEB-CGI webspirs access"
}
signature sid-902 {
@@ -1662,7 +1662,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[tT][sS][tT][iI][sS][aA][pP][iI]\.[dD][lL][lL]/
- msg "WEB-CGI tstisapi.dll access"
+ event "WEB-CGI tstisapi.dll access"
}
signature sid-1308 {
@@ -1672,7 +1672,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][nN][dD][mM][eE][sS][sS][aA][gG][eE]\.[cC][gG][iI]/
- msg "WEB-CGI sendmessage.cgi access"
+ event "WEB-CGI sendmessage.cgi access"
}
signature sid-1392 {
@@ -1682,7 +1682,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][lL][aA][sS][tT][lL][iI][nN][eE][sS]\.[cC][gG][iI]/
- msg "WEB-CGI lastlines.cgi access"
+ event "WEB-CGI lastlines.cgi access"
}
signature sid-1395 {
@@ -1692,7 +1692,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]zml\.cgi/
- msg "WEB-CGI zml.cgi attempt"
+ event "WEB-CGI zml.cgi attempt"
payload /.*file=\.\.\//
}
@@ -1703,7 +1703,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]zml\.cgi/
- msg "WEB-CGI zml.cgi access"
+ event "WEB-CGI zml.cgi access"
}
signature sid-1405 {
@@ -1713,7 +1713,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][uU][bB][lL][iI][sS][hH][eE][rR][\/\\][sS][eE][aA][rR][cC][hH]\.[cC][gG][iI]/
- msg "WEB-CGI AHG search.cgi access"
+ event "WEB-CGI AHG search.cgi access"
payload /.*[tT][eE][mM][pP][lL][aA][tT][eE]=/
}
@@ -1724,7 +1724,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][tT][oO][rR][eE][\/\\][aA][gG][oO][rR][aA]\.[cC][gG][iI]\?[cC][aA][rR][tT]_[iI][dD]=<[sS][cC][rR][iI][pP][tT]>/
- msg "WEB-CGI agora.cgi attempt"
+ event "WEB-CGI agora.cgi attempt"
}
signature sid-1406 {
@@ -1734,7 +1734,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][tT][oO][rR][eE][\/\\][aA][gG][oO][rR][aA]\.[cC][gG][iI]/
- msg "WEB-CGI agora.cgi access"
+ event "WEB-CGI agora.cgi access"
}
signature sid-877 {
@@ -1744,7 +1744,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][kK][sS][hH]/
- msg "WEB-CGI rksh access"
+ event "WEB-CGI rksh access"
}
signature sid-885 {
@@ -1754,7 +1754,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][aA][sS][hH]/
- msg "WEB-CGI bash access"
+ event "WEB-CGI bash access"
}
signature sid-1648 {
@@ -1764,7 +1764,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][eE][rR][lL]\.[eE][xX][eE]\?/
- msg "WEB-CGI perl.exe command attempt"
+ event "WEB-CGI perl.exe command attempt"
}
signature sid-832 {
@@ -1774,7 +1774,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][eE][rR][lL]\.[eE][xX][eE]/
- msg "WEB-CGI perl.exe access"
+ event "WEB-CGI perl.exe access"
}
signature sid-1649 {
@@ -1784,7 +1784,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][eE][rR][lL]\?/
- msg "WEB-CGI perl command attempt"
+ event "WEB-CGI perl command attempt"
}
signature sid-1309 {
@@ -1794,7 +1794,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][zZ][sS][hH]/
- msg "WEB-CGI zsh access"
+ event "WEB-CGI zsh access"
}
signature sid-862 {
@@ -1804,7 +1804,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][sS][hH]/
- msg "WEB-CGI csh access"
+ event "WEB-CGI csh access"
}
signature sid-872 {
@@ -1814,7 +1814,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][cC][sS][hH]/
- msg "WEB-CGI tcsh access"
+ event "WEB-CGI tcsh access"
}
signature sid-868 {
@@ -1824,7 +1824,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][sS][hH]/
- msg "WEB-CGI rsh access"
+ event "WEB-CGI rsh access"
}
signature sid-865 {
@@ -1834,7 +1834,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][kK][sS][hH]/
- msg "WEB-CGI ksh access"
+ event "WEB-CGI ksh access"
}
signature sid-1703 {
@@ -1844,7 +1844,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][uU][kK][tT][iI][oO][nN]\.[cC][gG][iI]/
- msg "WEB-CGI auktion.cgi directory traversal attempt"
+ event "WEB-CGI auktion.cgi directory traversal attempt"
payload /.*[mM][eE][nN][uU][eE]=\.\.\/\.\.\//
}
@@ -1855,7 +1855,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][uU][kK][tT][iI][oO][nN]\.[cC][gG][iI]/
- msg "WEB-CGI auktion.cgi access"
+ event "WEB-CGI auktion.cgi access"
}
signature sid-1573 {
@@ -1865,7 +1865,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI][fF][oO][rR][uU][mM]\.[pP][lL]\?[tT][hH][eE][sS][eE][cC][tT][iI][oO][nN]=\.\.[\/\\]\.\./
- msg "WEB-CGI cgiforum.pl attempt"
+ event "WEB-CGI cgiforum.pl attempt"
}
signature sid-1466 {
@@ -1875,7 +1875,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI][fF][oO][rR][uU][mM]\.[pP][lL]/
- msg "WEB-CGI cgiforum.pl access"
+ event "WEB-CGI cgiforum.pl access"
}
signature sid-1574 {
@@ -1885,7 +1885,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][iI][rR][eE][cC][tT][oO][rR][yY][pP][rR][oO]\.[cC][gG][iI]/
- msg "WEB-CGI directorypro.cgi attempt"
+ event "WEB-CGI directorypro.cgi attempt"
payload /.*[sS][hH][oO][wW]=\.\.\/\.\./
}
@@ -1896,7 +1896,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][iI][rR][eE][cC][tT][oO][rR][yY][pP][rR][oO]\.[cC][gG][iI]/
- msg "WEB-CGI directorypro.cgi access"
+ event "WEB-CGI directorypro.cgi access"
}
signature sid-1468 {
@@ -1906,7 +1906,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][hH][oO][pP][pP][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI Web Shopper shopper.cgi attempt"
+ event "WEB-CGI Web Shopper shopper.cgi attempt"
payload /.*[nN][eE][wW][pP][aA][gG][eE]=\.\.\//
}
@@ -1917,7 +1917,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][hH][oO][pP][pP][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI Web Shopper shopper.cgi access"
+ event "WEB-CGI Web Shopper shopper.cgi access"
}
signature sid-1470 {
@@ -1927,7 +1927,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][lL][iI][sS][tT][rR][eE][cC]\.[pP][lL]/
- msg "WEB-CGI listrec.pl access"
+ event "WEB-CGI listrec.pl access"
}
signature sid-1471 {
@@ -1937,7 +1937,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][iI][lL][nN][eE][wW][sS]\.[cC][gG][iI]/
- msg "WEB-CGI mailnews.cgi access"
+ event "WEB-CGI mailnews.cgi access"
}
signature sid-1472 {
@@ -1947,7 +1947,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][oO][oO][kK]\.[cC][gG][iI]/
- msg "WEB-CGI book.cgi access"
+ event "WEB-CGI book.cgi access"
}
signature sid-1473 {
@@ -1957,7 +1957,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][eE][wW][sS][dD][eE][sS][kK]\.[cC][gG][iI]/
- msg "WEB-CGI newsdesk.cgi access"
+ event "WEB-CGI newsdesk.cgi access"
}
signature sid-1704 {
@@ -1967,7 +1967,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][lL]_[mM][aA][kK][eE]\.[pP][lL]/
- msg "WEB-CGI cal_make.pl directory traversal attempt"
+ event "WEB-CGI cal_make.pl directory traversal attempt"
payload /.*[pP]0=\.\.\/\.\.\//
}
@@ -1978,7 +1978,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][lL]_[mM][aA][kK][eE]\.[pP][lL]/
- msg "WEB-CGI cal_make.pl access"
+ event "WEB-CGI cal_make.pl access"
}
signature sid-1475 {
@@ -1988,7 +1988,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][iI][lL][iI][tT]\.[pP][lL]/
- msg "WEB-CGI mailit.pl access"
+ event "WEB-CGI mailit.pl access"
}
signature sid-1476 {
@@ -1998,7 +1998,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][dD][bB][sS][eE][aA][rR][cC][hH]\.[cC][gG][iI]/
- msg "WEB-CGI sdbsearch.cgi access"
+ event "WEB-CGI sdbsearch.cgi access"
}
signature sid-1478 {
@@ -2008,7 +2008,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][wW][cC]/
- msg "WEB-CGI swc access"
+ event "WEB-CGI swc access"
}
signature sid-1479 {
@@ -2018,7 +2018,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][tT][aA][wW][eE][bB][tT][oO][pP]\.[cC][gG][iI]/
- msg "WEB-CGI ttawebtop.cgi attempt"
+ event "WEB-CGI ttawebtop.cgi attempt"
payload /.*[pP][gG]=\.\.\//
}
@@ -2029,7 +2029,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][tT][aA][wW][eE][bB][tT][oO][pP]\.[cC][gG][iI]/
- msg "WEB-CGI ttawebtop.cgi access"
+ event "WEB-CGI ttawebtop.cgi access"
}
signature sid-1481 {
@@ -2039,7 +2039,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][pP][lL][oO][aA][dD]\.[cC][gG][iI]/
- msg "WEB-CGI upload.cgi access"
+ event "WEB-CGI upload.cgi access"
}
signature sid-1482 {
@@ -2049,7 +2049,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][vV][iI][eE][wW]_[sS][oO][uU][rR][cC][eE]/
- msg "WEB-CGI view_source access"
+ event "WEB-CGI view_source access"
}
signature sid-1730 {
@@ -2059,7 +2059,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][sS][tT][oO][rR][eE][kK][eE][eE][pP][eE][rR]\.[pP][lL]/
- msg "WEB-CGI ustorekeeper.pl directory traversal attempt"
+ event "WEB-CGI ustorekeeper.pl directory traversal attempt"
payload /.*[fF][iI][lL][eE]=\.\.\/\.\.\//
}
@@ -2070,7 +2070,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][sS][tT][oO][rR][eE][kK][eE][eE][pP][eE][rR]\.[pP][lL]/
- msg "WEB-CGI ustorekeeper.pl access"
+ event "WEB-CGI ustorekeeper.pl access"
}
signature sid-1606 {
@@ -2080,7 +2080,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]icat/
- msg "WEB-CGI icat access"
+ event "WEB-CGI icat access"
}
signature sid-1617 {
@@ -2090,7 +2090,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]doeditvotes\.cgi/
- msg "WEB-CGI Bugzilla doeditvotes.cgi access"
+ event "WEB-CGI Bugzilla doeditvotes.cgi access"
}
signature sid-1600 {
@@ -2100,7 +2100,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][tT][sS][eE][aA][rR][cC][hH]\?-[cC]/
- msg "WEB-CGI htsearch arbitrary configuration file attempt"
+ event "WEB-CGI htsearch arbitrary configuration file attempt"
}
signature sid-1601 {
@@ -2110,7 +2110,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][tT][sS][eE][aA][rR][cC][hH]\?[eE][xX][cC][lL][uU][dD][eE]=`/
- msg "WEB-CGI htsearch arbitrary file read attempt"
+ event "WEB-CGI htsearch arbitrary file read attempt"
}
signature sid-1602 {
@@ -2120,7 +2120,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][tT][sS][eE][aA][rR][cC][hH]/
- msg "WEB-CGI htsearch access"
+ event "WEB-CGI htsearch access"
}
signature sid-1501 {
@@ -2130,7 +2130,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]a1disp3\.cgi\?[\/\\]\.\.[\/\\]\.\.[\/\\]/
- msg "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
+ event "WEB-CGI a1stats a1disp3.cgi directory traversal attempt"
}
signature sid-1502 {
@@ -2140,7 +2140,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]a1disp3\.cgi/
- msg "WEB-CGI a1stats a1disp3.cgi access"
+ event "WEB-CGI a1stats a1disp3.cgi access"
}
signature sid-1731 {
@@ -2150,7 +2150,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]a1stats[\/\\]/
- msg "WEB-CGI a1stats access"
+ event "WEB-CGI a1stats access"
}
signature sid-1503 {
@@ -2160,7 +2160,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]admentor[\/\\]admin[\/\\]admin\.asp/
- msg "WEB-CGI admentor admin.asp access"
+ event "WEB-CGI admentor admin.asp access"
}
signature sid-1505 {
@@ -2170,7 +2170,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]PRN[\/\\]\.\.[\/\\]\.\.[\/\\]/
- msg "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
+ event "WEB-CGI alchemy http server PRN arbitrary command execution attempt"
}
signature sid-1506 {
@@ -2180,7 +2180,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]NUL[\/\\]\.\.[\/\\]\.\.[\/\\]/
- msg "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
+ event "WEB-CGI alchemy http server NUL arbitrary command execution attempt"
}
signature sid-1507 {
@@ -2190,7 +2190,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]alibaba\.pl\|/
- msg "WEB-CGI alibaba.pl arbitrary command execution attempt"
+ event "WEB-CGI alibaba.pl arbitrary command execution attempt"
}
signature sid-1508 {
@@ -2200,7 +2200,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]alibaba\.pl/
- msg "WEB-CGI alibaba.pl access"
+ event "WEB-CGI alibaba.pl access"
}
signature sid-1509 {
@@ -2210,7 +2210,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]query\?mss=\.\./
- msg "WEB-CGI AltaVista Intranet Search directory traversal attempt"
+ event "WEB-CGI AltaVista Intranet Search directory traversal attempt"
}
signature sid-1510 {
@@ -2220,7 +2220,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]test\.bat\|/
- msg "WEB-CGI test.bat arbitrary command execution attempt"
+ event "WEB-CGI test.bat arbitrary command execution attempt"
}
signature sid-1511 {
@@ -2230,7 +2230,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]test\.bat/
- msg "WEB-CGI test.bat access"
+ event "WEB-CGI test.bat access"
}
signature sid-1512 {
@@ -2240,7 +2240,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]input\.bat\|/
- msg "WEB-CGI input.bat arbitrary command execution attempt"
+ event "WEB-CGI input.bat arbitrary command execution attempt"
}
signature sid-1513 {
@@ -2250,7 +2250,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]input\.bat/
- msg "WEB-CGI input.bat access"
+ event "WEB-CGI input.bat access"
}
signature sid-1514 {
@@ -2260,7 +2260,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]input2\.bat\|/
- msg "WEB-CGI input2.bat arbitrary command execution attempt"
+ event "WEB-CGI input2.bat arbitrary command execution attempt"
}
signature sid-1515 {
@@ -2270,7 +2270,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]input2\.bat/
- msg "WEB-CGI input2.bat access"
+ event "WEB-CGI input2.bat access"
}
signature sid-1516 {
@@ -2280,7 +2280,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]envout\.bat\|/
- msg "WEB-CGI envout.bat arbitrary command execution attempt"
+ event "WEB-CGI envout.bat arbitrary command execution attempt"
}
signature sid-1517 {
@@ -2290,7 +2290,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]envout\.bat/
- msg "WEB-CGI envout.bat access"
+ event "WEB-CGI envout.bat access"
}
signature sid-1705 {
@@ -2300,7 +2300,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]echo\.bat/
- msg "WEB-CGI echo.bat arbitrary command execution attempt"
+ event "WEB-CGI echo.bat arbitrary command execution attempt"
payload /.*&/
}
@@ -2311,7 +2311,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]echo\.bat/
- msg "WEB-CGI echo.bat access"
+ event "WEB-CGI echo.bat access"
}
signature sid-1707 {
@@ -2321,7 +2321,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]hello\.bat/
- msg "WEB-CGI hello.bat arbitrary command execution attempt"
+ event "WEB-CGI hello.bat arbitrary command execution attempt"
payload /.*&/
}
@@ -2332,7 +2332,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]hello\.bat/
- msg "WEB-CGI hello.bat access"
+ event "WEB-CGI hello.bat access"
}
signature sid-1650 {
@@ -2342,7 +2342,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]tst\.bat/
- msg "WEB-CGI tst.bat access"
+ event "WEB-CGI tst.bat access"
}
signature sid-1539 {
@@ -2352,7 +2352,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[bB][iI][nN][\/\\][lL][sS]/
- msg "WEB-CGI /cgi-bin/ls access"
+ event "WEB-CGI /cgi-bin/ls access"
}
signature sid-1542 {
@@ -2362,7 +2362,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI][mM][aA][iI][lL]/
- msg "WEB-CGI cgimail access"
+ event "WEB-CGI cgimail access"
}
signature sid-1543 {
@@ -2372,7 +2372,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI][wW][rR][aA][pP]/
- msg "WEB-CGI cgiwrap access"
+ event "WEB-CGI cgiwrap access"
}
signature sid-1547 {
@@ -2382,7 +2382,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]csSearch\.cgi/
- msg "WEB-CGI csSearch.cgi arbitrary command execution attempt"
+ event "WEB-CGI csSearch.cgi arbitrary command execution attempt"
payload /.*setup=print/
payload /.* `/
}
@@ -2394,7 +2394,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]csSearch\.cgi/
- msg "WEB-CGI csSearch.cgi access"
+ event "WEB-CGI csSearch.cgi access"
}
signature sid-1553 {
@@ -2404,7 +2404,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]cart[\/\\]cart\.cgi/
- msg "WEB-CGI /cart/cart.cgi access"
+ event "WEB-CGI /cart/cart.cgi access"
}
signature sid-1554 {
@@ -2414,7 +2414,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]dbman[\/\\]db\.cgi/
- msg "WEB-CGI dbman db.cgi access"
+ event "WEB-CGI dbman db.cgi access"
}
signature sid-1555 {
@@ -2424,7 +2424,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][cC][sS][hH][oO][pP]/
- msg "WEB-CGI DCShop access"
+ event "WEB-CGI DCShop access"
}
signature sid-1556 {
@@ -2434,7 +2434,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][oO][rR][dD][eE][rR][sS][\/\\][oO][rR][dD][eE][rR][sS]\.[tT][xX][tT]/
- msg "WEB-CGI DCShop orders.txt access"
+ event "WEB-CGI DCShop orders.txt access"
}
signature sid-1557 {
@@ -2444,7 +2444,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][uU][tT][hH]_[dD][aA][tT][aA][\/\\][aA][uU][tT][hH]_[uU][sS][eE][rR]_[fF][iI][lL][eE]\.[tT][xX][tT]/
- msg "WEB-CGI DCShop auth_user_file.txt access"
+ event "WEB-CGI DCShop auth_user_file.txt access"
}
signature sid-1565 {
@@ -2454,7 +2454,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][sS][hH][oO][pP]\.[pP][lL]\?[sS][eE][iI][tT][eE]=;/
- msg "WEB-CGI eshop.pl arbitrary commane execution attempt"
+ event "WEB-CGI eshop.pl arbitrary commane execution attempt"
}
signature sid-1566 {
@@ -2464,7 +2464,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][sS][hH][oO][pP]\.[pP][lL]/
- msg "WEB-CGI eshop.pl access"
+ event "WEB-CGI eshop.pl access"
}
signature sid-1569 {
@@ -2474,7 +2474,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][lL][oO][aA][dD][pP][aA][gG][eE]\.[cC][gG][iI]/
- msg "WEB-CGI loadpage.cgi directory traversal attempt"
+ event "WEB-CGI loadpage.cgi directory traversal attempt"
payload /.*[fF][iI][lL][eE]=\.\.\//
}
@@ -2485,7 +2485,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][lL][oO][aA][dD][pP][aA][gG][eE]\.[cC][gG][iI]/
- msg "WEB-CGI loadpage.cgi access"
+ event "WEB-CGI loadpage.cgi access"
}
signature sid-1590 {
@@ -2496,7 +2496,7 @@
tcp-state originator,established
http /.*[\/\\][fF][aA][qQ][mM][aA][nN][aA][gG][eE][rR]\.[cC][gG][iI]\?[tT][oO][cC]=/
http /.*%00/
- msg "WEB-CGI faqmanager.cgi arbitrary file access attempt"
+ event "WEB-CGI faqmanager.cgi arbitrary file access attempt"
}
signature sid-1591 {
@@ -2506,7 +2506,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][aA][qQ][mM][aA][nN][aA][gG][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI faqmanager.cgi access"
+ event "WEB-CGI faqmanager.cgi access"
}
signature sid-1592 {
@@ -2516,7 +2516,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][cC][gG][iI]-[bB][iI][nN][\/\\][eE][cC][hH][oO]\.[eE][xX][eE]/
- msg "WEB-CGI /fcgi-bin/echo.exe access"
+ event "WEB-CGI /fcgi-bin/echo.exe access"
}
signature sid-1628 {
@@ -2526,7 +2526,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM][hH][aA][nN][dD][lL][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
+ event "WEB-CGI FormHandler.cgi directory traversal attempt attempt"
payload /.*[rR][eE][pP][lL][yY]_[mM][eE][sS][sS][aA][gG][eE]_[aA][tT][tT][aA][cC][hH]=/
payload /.*\/\.\.\//
}
@@ -2538,7 +2538,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM][hH][aA][nN][dD][lL][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI FormHandler.cgi external site redirection attempt"
+ event "WEB-CGI FormHandler.cgi external site redirection attempt"
payload /.*[rR][eE][dD][iI][rR][eE][cC][tT]=[hH][tT][tT][pP]/
}
@@ -2549,7 +2549,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM][hH][aA][nN][dD][lL][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI FormHandler.cgi access"
+ event "WEB-CGI FormHandler.cgi access"
}
signature sid-1595 {
@@ -2559,7 +2559,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][tT][iI][mM][aA][gG][eE]\.[eE][xX][eE]/
- msg "WEB-CGI htimage.exe access"
+ event "WEB-CGI htimage.exe access"
}
signature sid-1597 {
@@ -2569,7 +2569,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][gG][uU][eE][sS][tT][bB][oO][oO][kK]\.[cC][gG][iI]/
- msg "WEB-CGI guestbook.cgi access"
+ event "WEB-CGI guestbook.cgi access"
}
signature sid-1598 {
@@ -2579,7 +2579,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][aA][rR][cC][hH]\.[cC][gG][iI]/
- msg "WEB-CGI Home Free search.cgi directory traversal attempt"
+ event "WEB-CGI Home Free search.cgi directory traversal attempt"
payload /.*[lL][eE][tT][tT][eE][rR]=\.\.\/\.\./
}
@@ -2590,7 +2590,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][aA][rR][cC][hH]\.[cC][gG][iI]/
- msg "WEB-CGI search.cgi access"
+ event "WEB-CGI search.cgi access"
}
signature sid-1651 {
@@ -2600,7 +2600,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][nN][iI][vV][rR][oO][nN]\.[pP][lL]/
- msg "WEB-CGI enivorn.pl access"
+ event "WEB-CGI enivorn.pl access"
}
signature sid-1652 {
@@ -2610,7 +2610,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][mM][pP][uU][sS]\?%0[aA]/
- msg "WEB-CGI campus attempt"
+ event "WEB-CGI campus attempt"
}
signature sid-1653 {
@@ -2620,7 +2620,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][mM][pP][uU][sS]/
- msg "WEB-CGI campus access"
+ event "WEB-CGI campus access"
}
signature sid-1654 {
@@ -2630,7 +2630,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][rR][tT]32\.[eE][xX][eE]/
- msg "WEB-CGI cart32.exe access"
+ event "WEB-CGI cart32.exe access"
}
signature sid-1655 {
@@ -2640,7 +2640,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][fF][dD][iI][sS][pP][aA][lL][yY]\.[cC][gG][iI]\?'/
- msg "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
+ event "WEB-CGI pfdispaly.cgi arbitrary command execution attempt"
}
signature sid-1656 {
@@ -2650,7 +2650,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][fF][dD][iI][sS][pP][aA][lL][yY]\.[cC][gG][iI]/
- msg "WEB-CGI pfdispaly.cgi access"
+ event "WEB-CGI pfdispaly.cgi access"
}
signature sid-1657 {
@@ -2660,7 +2660,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][aA][gG][eE][lL][oO][gG]\.[cC][gG][iI]/
- msg "WEB-CGI pagelog.cgi directory traversal attempt"
+ event "WEB-CGI pagelog.cgi directory traversal attempt"
payload /.*[nN][aA][mM][eE]=\.\.\//
}
@@ -2671,7 +2671,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][aA][gG][eE][lL][oO][gG]\.[cC][gG][iI]/
- msg "WEB-CGI pagelog.cgi access"
+ event "WEB-CGI pagelog.cgi access"
}
signature sid-1709 {
@@ -2681,7 +2681,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD]\.[cC][gG][iI]/
- msg "WEB-CGI ad.cgi access"
+ event "WEB-CGI ad.cgi access"
}
signature sid-1710 {
@@ -2691,7 +2691,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB][sS]_[fF][oO][rR][uU][mM]\.[cC][gG][iI]/
- msg "WEB-CGI bbs_forum.cgi access"
+ event "WEB-CGI bbs_forum.cgi access"
}
signature sid-1711 {
@@ -2701,7 +2701,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][sS][gG][uU][eE][sS][tT]\.[cC][gG][iI]/
- msg "WEB-CGI bsguest.cgi access"
+ event "WEB-CGI bsguest.cgi access"
}
signature sid-1712 {
@@ -2711,7 +2711,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][sS][lL][iI][sS][tT]\.[cC][gG][iI]/
- msg "WEB-CGI bslist.cgi access"
+ event "WEB-CGI bslist.cgi access"
}
signature sid-1713 {
@@ -2721,7 +2721,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][fF][oO][rR][uU][mM]\.[cC][gG][iI]/
- msg "WEB-CGI cgforum.cgi access"
+ event "WEB-CGI cgforum.cgi access"
}
signature sid-1714 {
@@ -2731,7 +2731,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][eE][wW][dD][eE][sS][kK]/
- msg "WEB-CGI newdesk access"
+ event "WEB-CGI newdesk access"
}
signature sid-1715 {
@@ -2741,7 +2741,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][eE][gG][iI][sS][tT][eE][rR]\.[cC][gG][iI]/
- msg "WEB-CGI register.cgi access"
+ event "WEB-CGI register.cgi access"
}
signature sid-1716 {
@@ -2751,7 +2751,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][gG][bB][oO][oO][kK]\.[cC][gG][iI]/
- msg "WEB-CGI gbook.cgi access"
+ event "WEB-CGI gbook.cgi access"
}
signature sid-1717 {
@@ -2761,7 +2761,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][iI][mM][pP][lL][eE][sS][tT][gG][uU][eE][sS][tT]\.[cC][gG][iI]/
- msg "WEB-CGI simplestguest.cgi access"
+ event "WEB-CGI simplestguest.cgi access"
}
signature sid-1718 {
@@ -2771,7 +2771,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][tT][aA][tT][uU][sS][cC][oO][nN][fF][iI][gG]\.[pP][lL]/
- msg "WEB-CGI statusconfig.pl access"
+ event "WEB-CGI statusconfig.pl access"
}
signature sid-1719 {
@@ -2781,7 +2781,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][aA][lL][kK][bB][aA][lL][kK]\.[cC][gG][iI]/
- msg "WEB-CGI talkback.cgi directory traversal attempt"
+ event "WEB-CGI talkback.cgi directory traversal attempt"
payload /.*[aA][rR][tT][iI][cC][lL][eE]=\.\.\/\.\.\//
}
@@ -2792,7 +2792,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][aA][lL][kK][bB][aA][lL][kK]\.[cC][gG][iI]/
- msg "WEB-CGI talkback.cgi access"
+ event "WEB-CGI talkback.cgi access"
}
signature sid-1721 {
@@ -2802,7 +2802,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][cC][yY][cC][lL][eE]/
- msg "WEB-CGI adcycle access"
+ event "WEB-CGI adcycle access"
}
signature sid-1722 {
@@ -2812,7 +2812,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][cC][hH][iI][nN][eE][iI][nN][fF][oO]/
- msg "WEB-CGI MachineInfo access"
+ event "WEB-CGI MachineInfo access"
}
signature sid-1723 {
@@ -2822,7 +2822,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][mM][uU][mM][aA][iI][lL]\.[cC][gG][iI]/
- msg "WEB-CGI emumail.cgi NULL attempt"
+ event "WEB-CGI emumail.cgi NULL attempt"
payload /.*[tT][yY][pP][eE]=/
payload /.*%00/
}
@@ -2834,7 +2834,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][mM][uU][mM][aA][iI][lL]\.[cC][gG][iI]/
- msg "WEB-CGI emumail.cgi access"
+ event "WEB-CGI emumail.cgi access"
}
signature sid-1642 {
@@ -2844,7 +2844,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]document\.d2w/
- msg "WEB-CGI document.d2w access"
+ event "WEB-CGI document.d2w access"
}
signature sid-1643 {
@@ -2854,7 +2854,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]db2www/
- msg "WEB-CGI db2www access"
+ event "WEB-CGI db2www access"
}
signature sid-1668 {
@@ -2864,7 +2864,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[bB][iI][nN][\/\\]/
- msg "WEB-CGI /cgi-bin/ access"
+ event "WEB-CGI /cgi-bin/ access"
payload /.*\/[cC][gG][iI]-[bB][iI][nN]\/ [hH][tT][tT][pP]/
}
@@ -2875,7 +2875,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[dD][oO][sS][\/\\]/
- msg "WEB-CGI /cgi-dos/ access"
+ event "WEB-CGI /cgi-dos/ access"
payload /.*\/[cC][gG][iI]-[dD][oO][sS]\/ [hH][tT][tT][pP]/
}
@@ -2886,7 +2886,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][cC][hH][nN][oO][tT][eE][\/\\][mM][aA][iI][nN]\.[cC][gG][iI]/
- msg "WEB-CGI technote main.cgi file directory traversal attempt"
+ event "WEB-CGI technote main.cgi file directory traversal attempt"
payload /.*[fF][iI][lL][eE][nN][aA][mM][eE]=/
payload /.*\.\.\/\.\.\//
}
@@ -2898,7 +2898,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][eE][cC][hH][nN][oO][tT][eE][\/\\][pP][rR][iI][nN][tT]\.[cC][gG][iI]/
- msg "WEB-CGI technote print.cgi directory traversal attempt"
+ event "WEB-CGI technote print.cgi directory traversal attempt"
payload /.*[bB][oO][aA][rR][dD]=/
payload /.*\.\.\/\.\.\//
payload /.*%00/
@@ -2911,7 +2911,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][sS]\.[cC][gG][iI]/
- msg "WEB-CGI ads.cgi command execution attempt"
+ event "WEB-CGI ads.cgi command execution attempt"
payload /.*[fF][iI][lL][eE]=/
payload /.*\.\.\/\.\.\//
payload /.*\|/
@@ -2924,7 +2924,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]web_store\.cgi/
- msg "WEB-CGI eXtropia webstore directory traversal"
+ event "WEB-CGI eXtropia webstore directory traversal"
payload /.*page=\.\.\//
}
@@ -2935,7 +2935,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]web_store\.cgi/
- msg "WEB-CGI eXtropia webstore access"
+ event "WEB-CGI eXtropia webstore access"
}
signature sid-1089 {
@@ -2945,7 +2945,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]shop\.cgi/
- msg "WEB-CGI shopping cart directory traversal"
+ event "WEB-CGI shopping cart directory traversal"
payload /.*page=\.\.\//
}
@@ -2956,7 +2956,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]authenticate\.cgi\?PASSWORD/
- msg "WEB-CGI Allaire Pro Web Shell attempt"
+ event "WEB-CGI Allaire Pro Web Shell attempt"
payload /.*config\.ini/
}
@@ -2967,7 +2967,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]search\.cgi\?keys/
- msg "WEB-CGI Armada Style Master Index directory traversal"
+ event "WEB-CGI Armada Style Master Index directory traversal"
payload /.*catigory=\.\.\//
}
@@ -2978,7 +2978,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]cached_feed\.cgi/
- msg "WEB-CGI moreover shopping cart directory traversal"
+ event "WEB-CGI moreover shopping cart directory traversal"
payload /.*\.\.\//
}
@@ -2989,7 +2989,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]webplus\.cgi\?Script=[\/\\]webplus[\/\\]webping[\/\\]webping\.wml/
- msg "WEB-CGI Talentsoft Web+ exploit attempt"
+ event "WEB-CGI Talentsoft Web+ exploit attempt"
}
signature sid-1106 {
@@ -2999,7 +2999,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][oO][lL][lL][iI][tT][\/\\][pP][oO][lL][lL]_[iI][tT]_[sS][sS][iI]_[vV]2\.0\.[cC][gG][iI]/
- msg "WEB-CGI Poll-it access"
+ event "WEB-CGI Poll-it access"
}
signature sid-1149 {
@@ -3009,7 +3009,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][uU][nN][tT]\.[cC][gG][iI]/
- msg "WEB-MISC count.cgi access"
+ event "WEB-MISC count.cgi access"
}
signature sid-1163 {
@@ -3019,7 +3019,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][dD][iI][sS][tT]\.[cC][gG][iI]/
- msg "WEB-CGIwebdist.cgi access"
+ event "WEB-CGIwebdist.cgi access"
}
signature sid-1172 {
@@ -3029,7 +3029,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][gG][cC][oO][nN][fF]\.[cC][gG][iI]/
- msg "WEB-CGI bigconf.cgi access"
+ event "WEB-CGI bigconf.cgi access"
}
signature sid-1174 {
@@ -3039,7 +3039,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[bB][iI][nN][\/\\][jJ][jJ]/
- msg "WEB-CGI /cgi-bin/jj access"
+ event "WEB-CGI /cgi-bin/jj access"
}
signature sid-1185 {
@@ -3049,7 +3049,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][zZ][dD][bB]1-[sS][eE][aA][rR][cC][hH]\.[cC][gG][iI]/
- msg "WEB-CGI bizdbsearch attempt"
+ event "WEB-CGI bizdbsearch attempt"
payload /.*[mM][aA][iI][lL]/
}
@@ -3060,7 +3060,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][iI][zZ][dD][bB]1-[sS][eE][aA][rR][cC][hH]\.[cC][gG][iI]/
- msg "WEB-CGI bizdbsearch access"
+ event "WEB-CGI bizdbsearch access"
}
signature sid-1194 {
@@ -3070,7 +3070,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][oO][jJ][oO][uU][rR][nN]\.[cC][gG][iI]\?[cC][aA][tT]=/
- msg "WEB-CGI sojourn.cgi File attempt"
+ event "WEB-CGI sojourn.cgi File attempt"
payload /.*%00/
}
@@ -3081,7 +3081,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][oO][jJ][oO][uU][rR][nN]\.[cC][gG][iI]/
- msg "WEB-CGI sojourn.cgi access"
+ event "WEB-CGI sojourn.cgi access"
}
signature sid-1196 {
@@ -3091,7 +3091,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][nN][fF][oO][sS][rR][cC][hH]\.[cC][gG][iI]\?/
- msg "WEB-CGI SGI InfoSearch fname attempt"
+ event "WEB-CGI SGI InfoSearch fname attempt"
payload /.*[fF][nN][aA][mM][eE]=/
}
@@ -3102,7 +3102,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]infosrch\.cgi/
- msg "WEB-CGI SGI InfoSearch fname access"
+ event "WEB-CGI SGI InfoSearch fname access"
}
signature sid-1204 {
@@ -3112,7 +3112,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]ax-admin\.cgi/
- msg "WEB-CGI ax-admin.cgi access"
+ event "WEB-CGI ax-admin.cgi access"
}
signature sid-1205 {
@@ -3122,7 +3122,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]axs\.cgi/
- msg "WEB-CGI axs.cgi access"
+ event "WEB-CGI axs.cgi access"
}
signature sid-1206 {
@@ -3132,7 +3132,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]cachemgr\.cgi/
- msg "WEB-CGI cachemgr.cgi access"
+ event "WEB-CGI cachemgr.cgi access"
}
signature sid-1208 {
@@ -3142,7 +3142,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]responder\.cgi/
- msg "WEB-CGI responder.cgi access"
+ event "WEB-CGI responder.cgi access"
}
signature sid-1211 {
@@ -3152,7 +3152,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]web-map\.cgi/
- msg "WEB-CGI web-map.cgi access"
+ event "WEB-CGI web-map.cgi access"
}
signature sid-1215 {
@@ -3162,7 +3162,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][iI][nN][iI][sS][tT][aA][tT][sS][\/\\][aA][dD][mM][iI][nN]\.[cC][gG][iI]/
- msg "WEB-CGI ministats admin access"
+ event "WEB-CGI ministats admin access"
}
signature sid-1219 {
@@ -3172,7 +3172,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][fF][iI][rR][eE]\.[cC][gG][iI]/
- msg "WEB-CGI dfire.cgi access"
+ event "WEB-CGI dfire.cgi access"
}
signature sid-1305 {
@@ -3182,7 +3182,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][xX][tT]2[hH][tT][mM][lL]\.[cC][gG][iI]/
- msg "WEB-CGI txt2html.cgi directory traversal attempt"
+ event "WEB-CGI txt2html.cgi directory traversal attempt"
payload /.*\/\.\.\/\.\.\/\.\.\/\.\.\//
}
@@ -3193,7 +3193,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][xX][tT]2[hH][tT][mM][lL]\.[cC][gG][iI]/
- msg "WEB-CGI txt2html.cgi access"
+ event "WEB-CGI txt2html.cgi access"
}
signature sid-1488 {
@@ -3203,7 +3203,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][tT][oO][rR][eE]\.[cC][gG][iI]/
- msg "WEB-CGI store.cgi directory traversal attempt"
+ event "WEB-CGI store.cgi directory traversal attempt"
payload /.*\.\.\//
}
@@ -3214,7 +3214,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][tT][oO][rR][eE]\.[cC][gG][iI]/
- msg "WEB-CGI store.cgi access"
+ event "WEB-CGI store.cgi access"
}
signature sid-1494 {
@@ -3224,7 +3224,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]generate\.cgi/
- msg "WEB-CGI SIX webboard generate.cgi attempt"
+ event "WEB-CGI SIX webboard generate.cgi attempt"
payload /.*content=\.\.\//
}
@@ -3235,7 +3235,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]generate\.cgi/
- msg "WEB-CGI SIX webboard generate.cgi access"
+ event "WEB-CGI SIX webboard generate.cgi access"
}
signature sid-1496 {
@@ -3245,7 +3245,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]spin_client\.cgi/
- msg "WEB-CGI spin_client.cgi access"
+ event "WEB-CGI spin_client.cgi access"
}
signature sid-903 {
@@ -3255,7 +3255,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][cC][aA][cC][hH][eE]\.[mM][aA][pP]/
- msg "WEB-COLDFUSION cfcache.map access"
+ event "WEB-COLDFUSION cfcache.map access"
}
signature sid-904 {
@@ -3265,7 +3265,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][aA][pP][pP][\/\\][eE][mM][aA][iI][lL][\/\\][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION exampleapp application.cfm"
+ event "WEB-COLDFUSION exampleapp application.cfm"
}
signature sid-905 {
@@ -3275,7 +3275,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][aA][pP][pP][\/\\][pP][uU][bB][lL][iI][sS][hH][\/\\][aA][dD][mM][iI][nN][\/\\][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION application.cfm access"
+ event "WEB-COLDFUSION application.cfm access"
}
signature sid-906 {
@@ -3285,7 +3285,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][aA][pP][pP][\/\\][eE][mM][aA][iI][lL][\/\\][gG][eE][tT][fF][iI][lL][eE]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION getfile.cfm access"
+ event "WEB-COLDFUSION getfile.cfm access"
}
signature sid-907 {
@@ -3295,7 +3295,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][aA][pP][pP][\/\\][pP][uU][bB][lL][iI][sS][hH][\/\\][aA][dD][mM][iI][nN][\/\\][aA][dD][dD][cC][oO][nN][tT][eE][nN][tT]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION addcontent.cfm access"
+ event "WEB-COLDFUSION addcontent.cfm access"
}
signature sid-908 {
@@ -3305,7 +3305,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][iI][dD][eE][\/\\][aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][\/\\][iI][nN][dD][eE][xX]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION administrator access"
+ event "WEB-COLDFUSION administrator access"
}
signature sid-909 {
@@ -3314,7 +3314,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION datasource username attempt"
+ event "WEB-COLDFUSION datasource username attempt"
payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][uU][sS][eE][rR][nN][aA][mM][eE]\(\)/
}
@@ -3325,7 +3325,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][sS][nN][iI][pP][pP][eE][tT][sS][\/\\][fF][iI][lL][eE][eE][xX][iI][sS][tT][sS]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION fileexists.cfm access"
+ event "WEB-COLDFUSION fileexists.cfm access"
}
signature sid-911 {
@@ -3335,7 +3335,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][pP][eE][vV][aA][lL][\/\\][eE][xX][pP][rR][cC][aA][lL][cC]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION exprcalc access"
+ event "WEB-COLDFUSION exprcalc access"
}
signature sid-912 {
@@ -3345,7 +3345,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][sS][\/\\][pP][aA][rR][kK][sS][\/\\][dD][eE][tT][aA][iI][lL]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION parks access"
+ event "WEB-COLDFUSION parks access"
}
signature sid-913 {
@@ -3355,7 +3355,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][aA][pP][pP][mM][aA][nN][\/\\][iI][nN][dD][eE][xX]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION cfappman access"
+ event "WEB-COLDFUSION cfappman access"
}
signature sid-914 {
@@ -3365,7 +3365,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][sS][\/\\][cC][vV][bB][eE][aA][nN][sS][\/\\][bB][eE][aA][nN][iI][nN][fF][oO]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION beaninfo access"
+ event "WEB-COLDFUSION beaninfo access"
}
signature sid-915 {
@@ -3375,7 +3375,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][sS][nN][iI][pP][pP][eE][tT][sS][\/\\][eE][vV][aA][lL][uU][aA][tT][eE]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION evaluate.cfm access"
+ event "WEB-COLDFUSION evaluate.cfm access"
}
signature sid-916 {
@@ -3384,7 +3384,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION getodbcdsn access"
+ event "WEB-COLDFUSION getodbcdsn access"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][dD][sS][nN]\(\)/
}
@@ -3394,7 +3394,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION db connections flush attempt"
+ event "WEB-COLDFUSION db connections flush attempt"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][bB][cC][oO][nN][nN][eE][cC][tT][iI][oO][nN][sS]_[fF][lL][uU][sS][hH]\(\)/
}
@@ -3405,7 +3405,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][pP][eE][vV][aA][lL][\/\\]/
- msg "WEB-COLDFUSION expeval access"
+ event "WEB-COLDFUSION expeval access"
}
signature sid-919 {
@@ -3414,7 +3414,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION datasource passwordattempt"
+ event "WEB-COLDFUSION datasource passwordattempt"
payload /.*[cC][fF]_[sS][eE][tT][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE][pP][aA][sS][sS][wW][oO][rR][dD]\(\)/
}
@@ -3424,7 +3424,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION datasource attempt"
+ event "WEB-COLDFUSION datasource attempt"
payload /.*[cC][fF]_[iI][sS][cC][oO][lL][dD][fF][uU][sS][iI][oO][nN][dD][aA][tT][aA][sS][oO][uU][rR][cC][eE]\(\)/
}
@@ -3434,7 +3434,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION admin encrypt attempt"
+ event "WEB-COLDFUSION admin encrypt attempt"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[eE][nN][cC][rR][yY][pP][tT]\(\)/
}
@@ -3445,7 +3445,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][pP][eE][vV][aA][lL][\/\\][dD][iI][sS][pP][lL][aA][yY][oO][pP][eE][nN][eE][dD][fF][iI][lL][eE]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION displayfile access"
+ event "WEB-COLDFUSION displayfile access"
}
signature sid-923 {
@@ -3454,7 +3454,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION getodbcin attempt"
+ event "WEB-COLDFUSION getodbcin attempt"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[gG][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
}
@@ -3464,7 +3464,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION admin decrypt attempt"
+ event "WEB-COLDFUSION admin decrypt attempt"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[dD][eE][cC][rR][yY][pP][tT]\(\)/
}
@@ -3475,7 +3475,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][sS][\/\\][mM][aA][iI][nN][fF][rR][aA][mM][eE][sS][eE][tT]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION mainframeset access"
+ event "WEB-COLDFUSION mainframeset access"
}
signature sid-926 {
@@ -3484,7 +3484,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION set odbc ini attempt"
+ event "WEB-COLDFUSION set odbc ini attempt"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][oO][dD][bB][cC][iI][nN][iI]\(\)/
}
@@ -3494,7 +3494,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION settings refresh attempt"
+ event "WEB-COLDFUSION settings refresh attempt"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[sS][eE][tT][tT][iI][nN][gG][sS]_[rR][eE][fF][rR][eE][sS][hH]\(\)/
}
@@ -3505,7 +3505,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][eE][xX][aA][mM][pP][lL][eE][aA][pP][pP][\/\\]/
- msg "WEB-COLDFUSION exampleapp access"
+ event "WEB-COLDFUSION exampleapp access"
}
signature sid-929 {
@@ -3514,7 +3514,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
+ event "WEB-COLDFUSION CFUSION_VERIFYMAIL access"
payload /.*[cC][fF][uU][sS][iI][oO][nN]_[vV][eE][rR][iI][fF][yY][mM][aA][iI][lL]\(\)/
}
@@ -3525,7 +3525,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][sS][nN][iI][pP][pP][eE][tT][sS][\/\\]/
- msg "WEB-COLDFUSION snippets attempt"
+ event "WEB-COLDFUSION snippets attempt"
}
signature sid-931 {
@@ -3535,7 +3535,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][cC][fF][mM][lL][sS][yY][nN][tT][aA][xX][cC][hH][eE][cC][kK]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
+ event "WEB-COLDFUSION cfmlsyntaxcheck.cfm access"
}
signature sid-932 {
@@ -3545,7 +3545,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][pP][pP][lL][iI][cC][aA][tT][iI][oO][nN]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION application.cfm access"
+ event "WEB-COLDFUSION application.cfm access"
}
signature sid-933 {
@@ -3555,7 +3555,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][oO][nN][rR][eE][qQ][uU][eE][sS][tT][eE][nN][dD]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION onrequestend.cfm access"
+ event "WEB-COLDFUSION onrequestend.cfm access"
}
signature sid-935 {
@@ -3565,7 +3565,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][iI][dD][eE][\/\\][aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][\/\\][sS][tT][aA][rR][tT][sS][tT][oO][pP]\.[hH][tT][mM][lL]/
- msg "WEB-COLDFUSION startstop DOS access"
+ event "WEB-COLDFUSION startstop DOS access"
}
signature sid-936 {
@@ -3575,7 +3575,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][dD][oO][cC][sS][\/\\][sS][nN][iI][pP][pP][eE][tT][sS][\/\\][gG][eE][tT][tT][eE][mM][pP][dD][iI][rR][eE][cC][tT][oO][rR][yY]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION gettempdirectory.cfm access "
+ event "WEB-COLDFUSION gettempdirectory.cfm access "
}
signature sid-1659 {
@@ -3585,7 +3585,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][nN][dD][mM][aA][iI][lL]\.[cC][fF][mM]/
- msg "WEB-COLDFUSION sendmail.cfm access"
+ event "WEB-COLDFUSION sendmail.cfm access"
}
signature sid-1248 {
@@ -3595,7 +3595,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][pP]30[rR][eE][gG]\.[dD][lL][lL]/
- msg "WEB-FRONTPAGE rad fp30reg.dll access"
+ event "WEB-FRONTPAGE rad fp30reg.dll access"
}
signature sid-1249 {
@@ -3605,7 +3605,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][pP]4[aA][rR][eE][gG]\.[dD][lL][lL]/
- msg "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
+ event "WEB-FRONTPAGE frontpage rad fp4areg.dll access"
}
signature sid-937 {
@@ -3615,7 +3615,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[rR][pP][cC]/
- msg "WEB-FRONTPAGE _vti_rpc access"
+ event "WEB-FRONTPAGE _vti_rpc access"
}
signature sid-939 {
@@ -3625,7 +3625,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][uU][tT][hH][oO][rR]\.[dD][lL][lL]/
- msg "WEB-FRONTPAGE posting"
+ event "WEB-FRONTPAGE posting"
payload /.*[pP][oO][sS][tT]/
}
@@ -3636,7 +3636,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[bB][iI][nN][\/\\][sS][hH][tT][mM][lL]\.[dD][lL][lL]/
- msg "WEB-FRONTPAGE shtml.dll access"
+ event "WEB-FRONTPAGE shtml.dll access"
}
signature sid-941 {
@@ -3646,7 +3646,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][cC][gG][iI][\/\\][cC][oO][nN][tT][eE][nN][tT][sS]\.[hH][tT][mM]/
- msg "WEB-FRONTPAGE contents.htm access"
+ event "WEB-FRONTPAGE contents.htm access"
}
signature sid-942 {
@@ -3656,7 +3656,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][oO][rR][dD][eE][rR][sS]\.[hH][tT][mM]/
- msg "WEB-FRONTPAGE orders.htm access"
+ event "WEB-FRONTPAGE orders.htm access"
}
signature sid-943 {
@@ -3666,7 +3666,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][pP][sS][rR][vV][aA][dD][mM]\.[eE][xX][eE]/
- msg "WEB-FRONTPAGE fpsrvadm.exe access"
+ event "WEB-FRONTPAGE fpsrvadm.exe access"
}
signature sid-944 {
@@ -3676,7 +3676,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][pP][rR][eE][mM][aA][dD][mM]\.[eE][xX][eE]/
- msg "WEB-FRONTPAGE fpremadm.exe access"
+ event "WEB-FRONTPAGE fpremadm.exe access"
}
signature sid-945 {
@@ -3686,7 +3686,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][sS][aA][pP][iI][\/\\][fF][pP][aA][dD][mM][iI][nN]\.[hH][tT][mM]/
- msg "WEB-FRONTPAGE fpadmin.htm access"
+ event "WEB-FRONTPAGE fpadmin.htm access"
}
signature sid-946 {
@@ -3696,7 +3696,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][fF][pP][aA][dD][mM][cC][gG][iI]\.[eE][xX][eE]/
- msg "WEB-FRONTPAGE fpadmcgi.exe access"
+ event "WEB-FRONTPAGE fpadmcgi.exe access"
}
signature sid-947 {
@@ -3706,7 +3706,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][oO][rR][dD][eE][rR][sS]\.[tT][xX][tT]/
- msg "WEB-FRONTPAGE orders.txt access"
+ event "WEB-FRONTPAGE orders.txt access"
}
signature sid-948 {
@@ -3716,7 +3716,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][fF][oO][rR][mM]_[rR][eE][sS][uU][lL][tT][sS]\.[tT][xX][tT]/
- msg "WEB-FRONTPAGE form_results access"
+ event "WEB-FRONTPAGE form_results access"
}
signature sid-949 {
@@ -3726,7 +3726,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][rR][eE][gG][iI][sS][tT][rR][aA][tT][iI][oO][nN][sS]\.[hH][tT][mM]/
- msg "WEB-FRONTPAGE registrations.htm access"
+ event "WEB-FRONTPAGE registrations.htm access"
}
signature sid-950 {
@@ -3736,7 +3736,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][fF][gG][wW][iI][zZ]\.[eE][xX][eE]/
- msg "WEB-FRONTPAGE cfgwiz.exe access"
+ event "WEB-FRONTPAGE cfgwiz.exe access"
}
signature sid-951 {
@@ -3746,7 +3746,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][uU][tT][hH][oO][rR][sS]\.[pP][wW][dD]/
- msg "WEB-FRONTPAGE authors.pwd access"
+ event "WEB-FRONTPAGE authors.pwd access"
}
signature sid-952 {
@@ -3756,7 +3756,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[bB][iI][nN][\/\\]_[vV][tT][iI]_[aA][uU][tT][\/\\][aA][uU][tT][hH][oO][rR]\.[eE][xX][eE]/
- msg "WEB-FRONTPAGE author.exe access"
+ event "WEB-FRONTPAGE author.exe access"
}
signature sid-953 {
@@ -3766,7 +3766,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN][iI][sS][tT][rR][aA][tT][oO][rR][sS]\.[pP][wW][dD]/
- msg "WEB-FRONTPAGE administrators.pwd access"
+ event "WEB-FRONTPAGE administrators.pwd access"
}
signature sid-954 {
@@ -3776,7 +3776,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][fF][oO][rR][mM]_[rR][eE][sS][uU][lL][tT][sS]\.[hH][tT][mM]/
- msg "WEB-FRONTPAGE form_results.htm access"
+ event "WEB-FRONTPAGE form_results.htm access"
}
signature sid-955 {
@@ -3786,7 +3786,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[pP][vV][tT][\/\\][aA][cC][cC][eE][sS][sS]\.[cC][nN][fF]/
- msg "WEB-FRONTPAGE access.cnf access"
+ event "WEB-FRONTPAGE access.cnf access"
}
signature sid-956 {
@@ -3796,7 +3796,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][rR][eE][gG][iI][sS][tT][eE][rR]\.[tT][xX][tT]/
- msg "WEB-FRONTPAGE register.txt access"
+ event "WEB-FRONTPAGE register.txt access"
}
signature sid-957 {
@@ -3806,7 +3806,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][rR][eE][gG][iI][sS][tT][rR][aA][tT][iI][oO][nN][sS]\.[tT][xX][tT]/
- msg "WEB-FRONTPAGE registrations.txt access"
+ event "WEB-FRONTPAGE registrations.txt access"
}
signature sid-958 {
@@ -3816,7 +3816,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[pP][vV][tT][\/\\][sS][eE][rR][vV][iI][cC][eE]\.[cC][nN][fF]/
- msg "WEB-FRONTPAGE service.cnf access"
+ event "WEB-FRONTPAGE service.cnf access"
}
signature sid-959 {
@@ -3826,7 +3826,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][rR][vV][iI][cC][eE]\.[pP][wW][dD]/
- msg "WEB-FRONTPAGE service.pwd"
+ event "WEB-FRONTPAGE service.pwd"
}
signature sid-960 {
@@ -3836,7 +3836,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[pP][vV][tT][\/\\][sS][eE][rR][vV][iI][cC][eE]\.[sS][tT][pP]/
- msg "WEB-FRONTPAGE service.stp access"
+ event "WEB-FRONTPAGE service.stp access"
}
signature sid-961 {
@@ -3846,7 +3846,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[pP][vV][tT][\/\\][sS][eE][rR][vV][iI][cC][eE][sS]\.[cC][nN][fF]/
- msg "WEB-FRONTPAGE services.cnf access"
+ event "WEB-FRONTPAGE services.cnf access"
}
signature sid-962 {
@@ -3856,7 +3856,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[bB][iI][nN][\/\\][sS][hH][tT][mM][lL]\.[eE][xX][eE]/
- msg "WEB-FRONTPAGE shtml.exe access"
+ event "WEB-FRONTPAGE shtml.exe access"
}
signature sid-963 {
@@ -3866,7 +3866,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[pP][vV][tT][\/\\][sS][vV][cC][aA][cC][lL]\.[cC][nN][fF]/
- msg "WEB-FRONTPAGE svcacl.cnf access"
+ event "WEB-FRONTPAGE svcacl.cnf access"
}
signature sid-964 {
@@ -3876,7 +3876,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][sS][eE][rR][sS]\.[pP][wW][dD]/
- msg "WEB-FRONTPAGE users.pwd access"
+ event "WEB-FRONTPAGE users.pwd access"
}
signature sid-965 {
@@ -3886,7 +3886,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[pP][vV][tT][\/\\][wW][rR][iI][tT][eE][tT][oO]\.[cC][nN][fF]/
- msg "WEB-FRONTPAGE writeto.cnf access"
+ event "WEB-FRONTPAGE writeto.cnf access"
}
signature sid-966 {
@@ -3895,7 +3895,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-FRONTPAGE fourdots request"
+ event "WEB-FRONTPAGE fourdots request"
payload /.*\x2e\x2e\x2e\x2e\x2f/
}
@@ -3906,7 +3906,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][vV][wW][sS][sS][rR]\.[dD][lL][lL]/
- msg "WEB-FRONTPAGE dvwssr.dll access"
+ event "WEB-FRONTPAGE dvwssr.dll access"
}
signature sid-968 {
@@ -3916,7 +3916,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[pP][rR][iI][vV][aA][tT][eE][\/\\][rR][eE][gG][iI][sS][tT][eE][rR]\.[hH][tT][mM]/
- msg "WEB-FRONTPAGE register.htm access"
+ event "WEB-FRONTPAGE register.htm access"
}
signature sid-1288 {
@@ -3926,7 +3926,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[vV][tT][iI]_[bB][iI][nN][\/\\]/
- msg "WEB-FRONTPAGE /_vti_bin/ access"
+ event "WEB-FRONTPAGE /_vti_bin/ access"
}
signature sid-1660 {
@@ -3936,7 +3936,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][tT][rR][aA][cC][eE]\.[aA][xX][dD]/
- msg "WEB-IIS trace.axd access"
+ event "WEB-IIS trace.axd access"
}
signature sid-1484 {
@@ -3946,7 +3946,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][sS][aA][pP][iI][\/\\][tT][sS][tT][iI][sS][aA][pP][iI]\.[dD][lL][lL]/
- msg "WEB-IIS /isapi/tstisapi.dll access"
+ event "WEB-IIS /isapi/tstisapi.dll access"
}
signature sid-1485 {
@@ -3956,7 +3956,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][kK][iI][lL][oO][gG]\.[eE][xX][eE]/
- msg "WEB-IIS mkilog.exe access"
+ event "WEB-IIS mkilog.exe access"
}
signature sid-1486 {
@@ -3966,7 +3966,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][tT][sS][sS]\.[iI][dD][cC]/
- msg "WEB-IIS ctss.idc access"
+ event "WEB-IIS ctss.idc access"
}
signature sid-1487 {
@@ -3976,7 +3976,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]iisadmpwd[\/\\]aexp2\.htr/
- msg "WEB-IIS /iisadmpwd/aexp2.htr access"
+ event "WEB-IIS /iisadmpwd/aexp2.htr access"
}
signature sid-971 {
@@ -3986,7 +3986,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[pP][rR][iI][nN][tT][eE][rR]/
- msg "WEB-IIS ISAPI .printer access"
+ event "WEB-IIS ISAPI .printer access"
}
signature sid-1242 {
@@ -3996,7 +3996,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[iI][dD][aA]/
- msg "WEB-IIS ISAPI .ida access"
+ event "WEB-IIS ISAPI .ida access"
}
signature sid-1245 {
@@ -4006,7 +4006,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[iI][dD][qQ]/
- msg "WEB-IIS ISAPI .idq access"
+ event "WEB-IIS ISAPI .idq access"
}
signature sid-972 {
@@ -4016,7 +4016,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*%2[eE]\.[aA][sS][pP]/
- msg "WEB-IIS %2E-asp access"
+ event "WEB-IIS %2E-asp access"
}
signature sid-973 {
@@ -4026,7 +4026,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]\*\.[iI][dD][cC]/
- msg "WEB-IIS *.idc attempt"
+ event "WEB-IIS *.idc attempt"
}
signature sid-974 {
@@ -4035,7 +4035,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS .... access"
+ event "WEB-IIS .... access"
payload /.*\x2e\x2e\x5c\x2e\x2e/
}
@@ -4046,7 +4046,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[aA][sS][pP]\x3a\x3a\$[dD][aA][tT][aA]/
- msg "WEB-IIS .asp::$DATA access"
+ event "WEB-IIS .asp::$DATA access"
}
signature sid-976 {
@@ -4056,7 +4056,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[bB][aA][tT]\?/
- msg "WEB-IIS .bat? access"
+ event "WEB-IIS .bat? access"
}
signature sid-977 {
@@ -4066,7 +4066,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[cC][nN][fF]/
- msg "WEB-IIS .cnf access"
+ event "WEB-IIS .cnf access"
}
signature sid-978 {
@@ -4075,7 +4075,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS ASP contents view"
+ event "WEB-IIS ASP contents view"
payload /.*%20/
payload /.*&[cC][iI][rR][eE][sS][tT][rR][iI][cC][tT][iI][oO][nN]=[nN][oO][nN][eE]/
payload /.*&[cC][iI][hH][iI][lL][iI][tT][eE][tT][yY][pP][eE]=[fF][uU][lL][lL]/
@@ -4088,7 +4088,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.htw\?CiWebHitsFile/
- msg "WEB-IIS ASP contents view"
+ event "WEB-IIS ASP contents view"
}
signature sid-980 {
@@ -4098,7 +4098,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][cC][gG][iI][mM][aA][iI][lL]\.[eE][xX][eE]/
- msg "WEB-IIS CGImail.exe access"
+ event "WEB-IIS CGImail.exe access"
}
signature sid-981 {
@@ -4108,7 +4108,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\]\.\.%[cC]0%[aA][fF]\.\.[\/\\]/
- msg "WEB-IIS File permission canonicalization"
+ event "WEB-IIS File permission canonicalization"
}
signature sid-982 {
@@ -4118,7 +4118,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\]\.\.%[cC]1%1[cC]\.\.[\/\\]/
- msg "WEB-IIS File permission canonicalization"
+ event "WEB-IIS File permission canonicalization"
}
signature sid-983 {
@@ -4128,7 +4128,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\]\.\.%[cC]1%9[cC]\.\.[\/\\]/
- msg "WEB-IIS File permission canonicalization"
+ event "WEB-IIS File permission canonicalization"
}
signature sid-986 {
@@ -4138,7 +4138,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][pP][rR][oO][xX][yY][\/\\][wW]3[pP][rR][oO][xX][yY]\.[dD][lL][lL]/
- msg "WEB-IIS MSProxy access"
+ event "WEB-IIS MSProxy access"
}
signature sid-1725 {
@@ -4148,7 +4148,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\+\.[hH][tT][rR]/
- msg "WEB-IIS +.htr code fragment attempt"
+ event "WEB-IIS +.htr code fragment attempt"
}
signature sid-987 {
@@ -4158,7 +4158,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[hH][tT][rR]/
- msg "WEB-IIS .htr access"
+ event "WEB-IIS .htr access"
}
signature sid-988 {
@@ -4167,7 +4167,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS SAM Attempt"
+ event "WEB-IIS SAM Attempt"
payload /.*[sS][aA][mM]\._/
}
@@ -4178,7 +4178,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][nN][sS][eE][pP][oO][sS][tT]\.[eE][xX][eE]/
- msg "WEB-IIS Unicode2.pl script (File permission canonicalization)"
+ event "WEB-IIS Unicode2.pl script (File permission canonicalization)"
}
signature sid-990 {
@@ -4188,7 +4188,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*_[vV][tT][iI]_[iI][nN][fF]\.[hH][tT][mM][lL]/
- msg "WEB-IIS _vti_inf access"
+ event "WEB-IIS _vti_inf access"
}
signature sid-991 {
@@ -4198,7 +4198,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][iI][sS][aA][dD][mM][pP][wW][dD][\/\\][aA][cC][hH][gG]\.[hH][tT][rR]/
- msg "WEB-IIS achg.htr access"
+ event "WEB-IIS achg.htr access"
}
signature sid-994 {
@@ -4208,7 +4208,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][iI][iI][sS][aA][dD][mM][iI][nN][\/\\][dD][eE][fF][aA][uU][lL][tT]\.[hH][tT][mM]/
- msg "WEB-IIS /scripts/iisadmin/default.htm access"
+ event "WEB-IIS /scripts/iisadmin/default.htm access"
}
signature sid-995 {
@@ -4218,7 +4218,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][iI][iI][sS][aA][dD][mM][iI][nN][\/\\][iI][sS][mM]\.[dD][lL][lL]\?[hH][tT][tT][pP][\/\\][dD][iI][rR]/
- msg "WEB-IIS ism.dll access"
+ event "WEB-IIS ism.dll access"
}
signature sid-996 {
@@ -4228,7 +4228,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][iI][sS][aA][dD][mM][pP][wW][dD][\/\\][aA][nN][oO][tT]/
- msg "WEB-IIS anot.htr access"
+ event "WEB-IIS anot.htr access"
}
signature sid-997 {
@@ -4238,7 +4238,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[aA][sS][pP]\./
- msg "WEB-IIS asp-dot attempt"
+ event "WEB-IIS asp-dot attempt"
}
signature sid-998 {
@@ -4248,7 +4248,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[aA][sS][pP]/
- msg "WEB-IIS asp-srch attempt"
+ event "WEB-IIS asp-srch attempt"
}
signature sid-1000 {
@@ -4258,7 +4258,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][dD][iI][rR]\.[hH][tT][rR]/
- msg "WEB-IIS bdir.htr access"
+ event "WEB-IIS bdir.htr access"
}
signature sid-1661 {
@@ -4267,7 +4267,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS cmd32.exe access"
+ event "WEB-IIS cmd32.exe access"
payload /.*[cC][mM][dD]32\.[eE][xX][eE]/
}
@@ -4277,7 +4277,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS cmd.exe access"
+ event "WEB-IIS cmd.exe access"
payload /.*[cC][mM][dD]\.[eE][xX][eE]/
}
@@ -4287,7 +4287,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS cmd? access"
+ event "WEB-IIS cmd? access"
payload /.*\.[cC][mM][dD]\?&/
}
@@ -4298,7 +4298,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM]_[jJ][sS][cC][rR][iI][pP][tT]\.[aA][sS][pP]/
- msg "WEB-IIS cross-site scripting attempt"
+ event "WEB-IIS cross-site scripting attempt"
}
signature sid-1380 {
@@ -4308,7 +4308,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][oO][rR][mM]_[vV][bB][sS][cC][rR][iI][pP][tT]\.[aA][sS][pP]/
- msg "WEB-IIS cross-site scripting attempt"
+ event "WEB-IIS cross-site scripting attempt"
}
signature sid-1008 {
@@ -4317,7 +4317,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS del attempt"
+ event "WEB-IIS del attempt"
payload /.*&[dD][eE][lL]\+\/[sS]\+[cC]\x3a\\\*\.\*/
}
@@ -4328,7 +4328,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][rR][vV][eE][rR][vV][aA][rR][iI][aA][bB][lL][eE][sS]_[jJ][sS][cC][rR][iI][pP][tT]\.[aA][sS][pP]/
- msg "WEB-IIS directory listing"
+ event "WEB-IIS directory listing"
}
signature sid-1010 {
@@ -4337,7 +4337,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS encoding access"
+ event "WEB-IIS encoding access"
payload /.*\x25\x31\x75/
}
@@ -4347,7 +4347,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS exec-src access"
+ event "WEB-IIS exec-src access"
payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[eE][xX][eE]/
}
@@ -4358,7 +4358,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][pP][cC][oO][uU][nN][tT]\.[eE][xX][eE]/
- msg "WEB-IIS fpcount attempt"
+ event "WEB-IIS fpcount attempt"
payload /.*[dD][iI][gG][iI][tT][sS]=/
}
@@ -4369,7 +4369,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][pP][cC][oO][uU][nN][tT]\.[eE][xX][eE]/
- msg "WEB-IIS fpcount access"
+ event "WEB-IIS fpcount access"
}
signature sid-1015 {
@@ -4379,7 +4379,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][tT][oO][oO][lL][sS][\/\\][gG][eE][tT][dD][rR][vV][sS]\.[eE][xX][eE]/
- msg "WEB-IIS getdrvs.exe access"
+ event "WEB-IIS getdrvs.exe access"
}
signature sid-1016 {
@@ -4388,7 +4388,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS global-asa access"
+ event "WEB-IIS global-asa access"
payload /.*[gG][lL][oO][bB][aA][lL]\.[aA][sS][aA]/
}
@@ -4398,7 +4398,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS idc-srch attempt"
+ event "WEB-IIS idc-srch attempt"
payload /.*#[fF][iI][lL][eE][nN][aA][mM][eE]=\*\.[iI][dD][cC]/
}
@@ -4409,7 +4409,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][iI][sS][aA][dD][mM][pP][wW][dD][\/\\][aA][eE][xX][pP]/
- msg "WEB-IIS iisadmpwd attempt"
+ event "WEB-IIS iisadmpwd attempt"
}
signature sid-1019 {
@@ -4418,7 +4418,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS index server file sourcecode attempt"
+ event "WEB-IIS index server file sourcecode attempt"
payload /.*\?CiWebHitsFile=\//
payload /.*&CiRestriction=none&CiHiliteType=Full/
}
@@ -4429,7 +4429,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS isc$data attempt"
+ event "WEB-IIS isc$data attempt"
payload /.*\.[iI][dD][cC]\x3a\x3a\$[dD][aA][tT][aA]/
}
@@ -4439,7 +4439,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS ism.dll attempt"
+ event "WEB-IIS ism.dll attempt"
payload /.*%20%20%20%20%20\.[hH][tT][rR]/
}
@@ -4450,7 +4450,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][vV][wW][oO][rR][kK][sS][\/\\][eE][qQ][uU][iI][pP][mM][eE][nN][tT][\/\\][cC][aA][tT][aA][lL][oO][gG]_[tT][yY][pP][eE]\.[aA][sS][pP]/
- msg "WEB-IIS jet vba access"
+ event "WEB-IIS jet vba access"
}
signature sid-1023 {
@@ -4460,7 +4460,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][sS][aA][dD][cC][\/\\][mM][sS][aA][dD][cC][sS]\.[dD][lL][lL]/
- msg "WEB-IIS msadc/msadcs.dll access"
+ event "WEB-IIS msadc/msadcs.dll access"
}
signature sid-1024 {
@@ -4470,7 +4470,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][tT][oO][oO][lL][sS][\/\\][nN][eE][wW][dD][sS][nN]\.[eE][xX][eE]/
- msg "WEB-IIS newdsn.exe access"
+ event "WEB-IIS newdsn.exe access"
}
signature sid-1025 {
@@ -4480,7 +4480,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][pP][eE][rR][lL]/
- msg "WEB-IIS perl access"
+ event "WEB-IIS perl access"
}
signature sid-1026 {
@@ -4489,7 +4489,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS perl-browse0a attempt"
+ event "WEB-IIS perl-browse0a attempt"
payload /.*%0[aA]\.[pP][lL]/
}
@@ -4499,7 +4499,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS perl-browse20 attempt"
+ event "WEB-IIS perl-browse20 attempt"
payload /.*%20\.[pP][lL]/
}
@@ -4510,7 +4510,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\]\x20/
- msg "WEB-IIS scripts-browse access"
+ event "WEB-IIS scripts-browse access"
}
signature sid-1030 {
@@ -4520,7 +4520,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]search97\.vts/
- msg "WEB-IIS search97.vts access"
+ event "WEB-IIS search97.vts access"
}
signature sid-1038 {
@@ -4530,7 +4530,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][sS][aA][mM][pP][lL][eE][sS][\/\\][cC][oO][nN][fF][iI][gG][\/\\][sS][iI][tT][eE]\.[cC][sS][cC]/
- msg "WEB-IIS site server config access"
+ event "WEB-IIS site server config access"
}
signature sid-1039 {
@@ -4540,7 +4540,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][aA][mM][pP][lL][eE][sS][\/\\][iI][sS][aA][pP][iI][\/\\][sS][rR][cC][hH]\.[hH][tT][mM]/
- msg "WEB-IIS srch.htm access"
+ event "WEB-IIS srch.htm access"
}
signature sid-1040 {
@@ -4550,7 +4550,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][rR][cC][hH][aA][dD][mM]/
- msg "WEB-IIS srchadm access"
+ event "WEB-IIS srchadm access"
}
signature sid-1041 {
@@ -4560,7 +4560,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][uU][pP][lL][oO][aA][dD][nN]\.[aA][sS][pP]/
- msg "WEB-IIS uploadn.asp access"
+ event "WEB-IIS uploadn.asp access"
}
signature sid-1042 {
@@ -4569,7 +4569,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-IIS view source via translate header"
+ event "WEB-IIS view source via translate header"
payload /.*[tT][rR][aA][nN][sS][lL][aA][tT][eE]\x3a [fF]/
}
@@ -4580,7 +4580,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*doctodep\.btr/
- msg "WEB-IIS doctodep.btr access"
+ event "WEB-IIS doctodep.btr access"
}
signature sid-1046 {
@@ -4590,7 +4590,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][iI][tT][eE][\/\\][iI][iI][sS][aA][mM][pP][lL][eE][sS]/
- msg "WEB-IIS site/iisamples access"
+ event "WEB-IIS site/iisamples access"
}
signature sid-1256 {
@@ -4600,7 +4600,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[sS][cC][rR][iI][pP][tT][sS][\/\\][rR][oO][oO][tT]\.[eE][xX][eE]\?/
- msg "WEB-IIS CodeRed v2 root.exe access"
+ event "WEB-IIS CodeRed v2 root.exe access"
}
signature sid-1283 {
@@ -4610,7 +4610,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][xX][cC][hH][aA][nN][gG][eE][\/\\][lL][oO][gG][oO][nN][fF][rR][mM]\.[aA][sS][pP]\?/
- msg "WEB-IIS outlook web dos"
+ event "WEB-IIS outlook web dos"
payload /.*[mM][aA][iI][lL][bB][oO][xX]=/
payload /.*\x25\x25\x25/
}
@@ -4622,7 +4622,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][sS][aA][mM][pP][lL][eE][sS][\/\\]/
- msg "WEB-IIS /scripts/samples/ access"
+ event "WEB-IIS /scripts/samples/ access"
}
signature sid-1401 {
@@ -4632,7 +4632,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][sS][aA][dD][cC][\/\\][sS][aA][mM][pP][lL][eE][sS][\/\\]/
- msg "WEB-IIS /msadc/samples/ access"
+ event "WEB-IIS /msadc/samples/ access"
}
signature sid-1402 {
@@ -4642,7 +4642,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][iI][sS][sS][aA][mM][pP][lL][eE][sS][\/\\]/
- msg "WEB-IIS iissamples access"
+ event "WEB-IIS iissamples access"
}
signature sid-970 {
@@ -4653,7 +4653,7 @@
tcp-state originator,established
http /.*%5c/
http /.*\.\./
- msg "WEB-IIS multiple decode attempt"
+ event "WEB-IIS multiple decode attempt"
}
signature sid-993 {
@@ -4663,7 +4663,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][iI][sS][aA][dD][mM][iI][nN]/
- msg "WEB-IIS iisadmin access"
+ event "WEB-IIS iisadmin access"
}
signature sid-1285 {
@@ -4673,7 +4673,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][sS][dD][aA][cC][\/\\]/
- msg "WEB-IIS msdac access"
+ event "WEB-IIS msdac access"
}
signature sid-1286 {
@@ -4683,7 +4683,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]_[mM][eE][mM]_[bB][iI][nN][\/\\]/
- msg "WEB-IIS _mem_bin access"
+ event "WEB-IIS _mem_bin access"
}
signature sid-1287 {
@@ -4693,7 +4693,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\]/
- msg "WEB-IIS scripts access"
+ event "WEB-IIS scripts access"
}
signature sid-1054 {
@@ -4703,7 +4703,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.js%70/
- msg "WEB-MISC weblogic view source attempt"
+ event "WEB-MISC weblogic view source attempt"
}
signature sid-1055 {
@@ -4713,7 +4713,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*%00\.jsp/
- msg "WEB-MISC tomcat directory traversal attempt"
+ event "WEB-MISC tomcat directory traversal attempt"
}
signature sid-1056 {
@@ -4723,7 +4723,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*%252ejsp/
- msg "WEB-MISC tomcat view source attempt"
+ event "WEB-MISC tomcat view source attempt"
}
signature sid-1057 {
@@ -4732,7 +4732,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC ftp attempt"
+ event "WEB-MISC ftp attempt"
payload /.*[fF][tT][pP]\.[eE][xX][eE]/
}
@@ -4742,7 +4742,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC enumdsn attempt"
+ event "WEB-MISC enumdsn attempt"
payload /.*[xX][pP]_[eE][nN][uU][mM][dD][sS][nN]/
}
@@ -4752,7 +4752,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC filelist attempt"
+ event "WEB-MISC filelist attempt"
payload /.*[xX][pP]_[fF][iI][lL][eE][lL][iI][sS][tT]/
}
@@ -4762,7 +4762,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC availablemedia attempt"
+ event "WEB-MISC availablemedia attempt"
payload /.*[xX][pP]_[aA][vV][aA][iI][lL][aA][bB][lL][eE][mM][eE][dD][iI][aA]/
}
@@ -4772,7 +4772,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC cmdshell attempt"
+ event "WEB-MISC cmdshell attempt"
payload /.*[xX][pP]_[cC][mM][dD][sS][hH][eE][lL][lL]/
}
@@ -4782,7 +4782,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC nc.exe attempt"
+ event "WEB-MISC nc.exe attempt"
payload /.*[nN][cC]\.[eE][xX][eE]/
}
@@ -4792,7 +4792,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC wsh attempt"
+ event "WEB-MISC wsh attempt"
payload /.*[wW][sS][hH]\.[eE][xX][eE]/
}
@@ -4802,7 +4802,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC rcmd attempt"
+ event "WEB-MISC rcmd attempt"
payload /.*[rR][cC][mM][dD]\.[eE][xX][eE]/
}
@@ -4812,7 +4812,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC telnet attempt"
+ event "WEB-MISC telnet attempt"
payload /.*[tT][eE][lL][nN][eE][tT]\.[eE][xX][eE]/
}
@@ -4822,7 +4822,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC net attempt"
+ event "WEB-MISC net attempt"
payload /.*[nN][eE][tT]\.[eE][xX][eE]/
}
@@ -4832,7 +4832,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC tftp attempt"
+ event "WEB-MISC tftp attempt"
payload /.*[tT][fF][tT][pP]\.[eE][xX][eE]/
}
@@ -4842,7 +4842,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC regread attempt"
+ event "WEB-MISC regread attempt"
payload /.*[xX][pP]_[rR][eE][gG][rR][eE][aA][dD]/
}
@@ -4852,7 +4852,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC .htpasswd access"
+ event "WEB-MISC .htpasswd access"
payload /.*\.[hH][tT][pP][aA][sS][sS][wW][dD]/
}
@@ -4864,7 +4864,7 @@
tcp-state originator,established
http /.*\.[nN][sS][fF][\/\\]/
http /.*\.\.[\/\\]/
- msg "WEB-MISC Lotus Domino directory traversal"
+ event "WEB-MISC Lotus Domino directory traversal"
}
signature sid-1075 {
@@ -4874,7 +4874,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][pP][oO][sS][tT][iI][nN][fF][oO]\.[aA][sS][pP]/
- msg "WEB-MISC postinfo.asp access"
+ event "WEB-MISC postinfo.asp access"
}
signature sid-1076 {
@@ -4884,7 +4884,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][rR][eE][pP][oO][sS][tT]\.[aA][sS][pP]/
- msg "WEB-MISC repost.asp access"
+ event "WEB-MISC repost.asp access"
}
signature sid-1077 {
@@ -4894,7 +4894,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][aA][mM][pP][lL][eE][sS][\/\\][sS][eE][aA][rR][cC][hH][\/\\][qQ][uU][eE][rR][yY][hH][iI][tT]\.[hH][tT][mM]/
- msg "WEB-MISC queryhit.htm access"
+ event "WEB-MISC queryhit.htm access"
}
signature sid-1078 {
@@ -4904,7 +4904,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][cC][oO][uU][nN][tT][eE][rR]\.[eE][xX][eE]/
- msg "WEB-MISC counter.exe access"
+ event "WEB-MISC counter.exe access"
}
signature sid-1079 {
@@ -4913,7 +4913,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC webdav propfind access"
+ event "WEB-MISC webdav propfind access"
payload /.*<[aA]:[pP][rR][oO][pP][fF][iI][nN][dD]/
payload /.*[xX][mM][lL][nN][sS]:[aA]=\"[dD][aA][vV]\">/
}
@@ -4925,7 +4925,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][rR][vV][lL][eE][tT][\/\\][cC][oO][mM]\.[uU][nN][iI][fF][yY]\.[sS][eE][rR][vV][lL][eE][tT][eE][xX][eE][cC]\.[uU][pP][lL][oO][aA][dD][sS][eE][rR][vV][lL][eE][tT]/
- msg "WEB-MISC unify eWave ServletExec upload"
+ event "WEB-MISC unify eWave ServletExec upload"
}
signature sid-1081 {
@@ -4935,7 +4935,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][sS][gG][wW][\/\\][bB][iI][nN][\/\\][sS][eE][aA][rR][cC][hH]\?[cC][oO][nN][tT][eE][xX][tT]=/
- msg "WEB-MISC netscape servers suite DOS"
+ event "WEB-MISC netscape servers suite DOS"
}
signature sid-1082 {
@@ -4944,7 +4944,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC amazon 1-click cookie theft"
+ event "WEB-MISC amazon 1-click cookie theft"
payload /.*[rR][eE][fF]%3[cC][sS][cC][rR][iI][pP][tT]%20[lL][aA][nN][gG][uU][aA][gG][eE]%3[dD]%22[jJ][aA][vV][aA][sS][cC][rR][iI][pP][tT]/
}
@@ -4955,7 +4955,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]servlet[\/\\]ServletExec/
- msg "WEB-MISC unify eWave ServletExec DOS"
+ event "WEB-MISC unify eWave ServletExec DOS"
}
signature sid-1084 {
@@ -4964,7 +4964,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC Allaire JRUN DOS attempt"
+ event "WEB-MISC Allaire JRUN DOS attempt"
payload /.*[sS][eE][rR][vV][lL][eE][tT]\/\.\.\.\.\.\.\./
}
@@ -4974,7 +4974,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC PHP strings overflow"
+ event "WEB-MISC PHP strings overflow"
payload /.*\xba\x49\xfe\xff\xff\xf7\xd2\xb9\xbf\xff\xff\xff\xf7\xd1/
}
@@ -4984,7 +4984,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC PHP strings overflow"
+ event "WEB-MISC PHP strings overflow"
payload /.*\?STRENGUR /
}
@@ -4995,7 +4995,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?\?\?\?\?\?\?\?\?\?/
- msg "WEB-MISC ICQ Webfront HTTP DOS"
+ event "WEB-MISC ICQ Webfront HTTP DOS"
}
signature sid-1095 {
@@ -5005,7 +5005,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]webplus\.exe\?script=test\.wml/
- msg "WEB-MISC Talentsoft Web+ Source Code view access"
+ event "WEB-MISC Talentsoft Web+ Source Code view access"
}
signature sid-1096 {
@@ -5015,7 +5015,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]webplus\.exe\?about/
- msg "WEB-MISC Talentsoft Web+ internal IP Address access"
+ event "WEB-MISC Talentsoft Web+ internal IP Address access"
}
signature sid-1098 {
@@ -5025,7 +5025,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*_private[\/\\]shopping_cart\.mdb/
- msg "WEB-MISC SmartWin CyberOffice Shopping Cart access"
+ event "WEB-MISC SmartWin CyberOffice Shopping Cart access"
}
signature sid-1099 {
@@ -5035,7 +5035,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][yY][bB][eE][rR][cC][oO][pP]/
- msg "WEB-MISC cybercop scan"
+ event "WEB-MISC cybercop scan"
}
signature sid-1100 {
@@ -5044,7 +5044,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC L3retriever HTTP Probe"
+ event "WEB-MISC L3retriever HTTP Probe"
payload /.*User-Agent\x3a Java1\.2\.1\x0d\x0a/
}
@@ -5054,7 +5054,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC Webtrends HTTP probe"
+ event "WEB-MISC Webtrends HTTP probe"
payload /.*User-Agent\x3a Webtrends Security Analyzer\x0d\x0a/
}
@@ -5065,7 +5065,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]-[sS][eE][rR][vV][\/\\][cC][oO][nN][fF][iI][gG][\/\\][aA][dD][mM][pP][wW]/
- msg "WEB-MISC netscape admin passwd"
+ event "WEB-MISC netscape admin passwd"
}
signature sid-1105 {
@@ -5075,7 +5075,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][bB]-[hH][oO][sS][tT][sS][vV][cC]\.[sS][hH]\?[hH][oO][sS][tT][sS][vV][cC]/
- msg "WEB-MISC BigBrother access"
+ event "WEB-MISC BigBrother access"
}
signature sid-1612 {
@@ -5085,7 +5085,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][tT][pP]\.[pP][lL]\?[dD][iI][rR]=\.\.[\/\\]\.\./
- msg "WEB-MISC ftp.pl attempt"
+ event "WEB-MISC ftp.pl attempt"
}
signature sid-1107 {
@@ -5095,7 +5095,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][tT][pP]\.[pP][lL]/
- msg "WEB-MISC ftp.pl access"
+ event "WEB-MISC ftp.pl access"
}
signature sid-1109 {
@@ -5105,7 +5105,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\x2F\x25\x30\x30/
- msg "WEB-MISC ROXEN directory list attempt"
+ event "WEB-MISC ROXEN directory list attempt"
}
signature sid-1110 {
@@ -5115,7 +5115,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][iI][tT][eE][\/\\][eE][gG][\/\\][sS][oO][uU][rR][cC][eE]\.[aA][sS][pP]/
- msg "WEB-MISC apache source.asp file access"
+ event "WEB-MISC apache source.asp file access"
}
signature sid-1111 {
@@ -5125,7 +5125,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][nN][tT][eE][xX][tT][aA][dD][mM][iI][nN][\/\\][cC][oO][nN][tT][eE][xX][tT][aA][dD][mM][iI][nN]\.[hH][tT][mM][lL]/
- msg "WEB-MISC tomcat server exploit access"
+ event "WEB-MISC tomcat server exploit access"
}
signature sid-1115 {
@@ -5135,7 +5135,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[hH][tT][mM][lL][\/\\]\.\.\.\.\.\./
- msg "WEB-MISC ICQ webserver DOS"
+ event "WEB-MISC ICQ webserver DOS"
}
signature sid-1116 {
@@ -5145,7 +5145,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[dD][eE][lL][eE][tT][eE][dD][oO][cC][uU][mM][eE][nN][tT]/
- msg "WEB-MISC Lotus DelDoc attempt"
+ event "WEB-MISC Lotus DelDoc attempt"
}
signature sid-1117 {
@@ -5155,7 +5155,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[eE][dD][iI][tT][dD][oO][cC][uU][mM][eE][nN][tT]/
- msg "WEB-MISC Lotus EditDoc attempt"
+ event "WEB-MISC Lotus EditDoc attempt"
}
signature sid-1118 {
@@ -5164,7 +5164,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC ls%20-l"
+ event "WEB-MISC ls%20-l"
payload /.*[lL][sS]%20-[lL]/
}
@@ -5175,7 +5175,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][lL][oO][gG]\.[pP][hH][tT][mM][lL]/
- msg "WEB-MISC mlog.phtml access"
+ event "WEB-MISC mlog.phtml access"
}
signature sid-1120 {
@@ -5185,7 +5185,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][yY][lL][oO][gG]\.[pP][hH][tT][mM][lL]/
- msg "WEB-MISC mylog.phtml access"
+ event "WEB-MISC mylog.phtml access"
}
signature sid-1122 {
@@ -5194,7 +5194,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC /etc/passwd"
+ event "WEB-MISC /etc/passwd"
payload /.*\/[eE][tT][cC]\/[pP][aA][sS][sS][wW][dD]/
}
@@ -5205,7 +5205,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[pP][aA][gG][eE][sS][eE][rR][vV][iI][cC][eE][sS]/
- msg "WEB-MISC ?PageServices access"
+ event "WEB-MISC ?PageServices access"
}
signature sid-1124 {
@@ -5215,7 +5215,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][nN][fF][iI][gG][\/\\][cC][hH][eE][cC][kK]\.[tT][xX][tT]/
- msg "WEB-MISC Ecommerce check.txt access"
+ event "WEB-MISC Ecommerce check.txt access"
}
signature sid-1125 {
@@ -5225,7 +5225,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][cC][aA][rR][tT][\/\\]/
- msg "WEB-MISC webcart access"
+ event "WEB-MISC webcart access"
}
signature sid-1126 {
@@ -5235,7 +5235,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*_[aA][uU][tT][hH][cC][hH][aA][nN][gG][eE][uU][rR][lL]\?/
- msg "WEB-MISC AuthChangeUrl access"
+ event "WEB-MISC AuthChangeUrl access"
}
signature sid-1127 {
@@ -5245,7 +5245,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][cC][oO][nN][vV][eE][rR][tT]\.[bB][aA][sS]/
- msg "WEB-MISC convert.bas access"
+ event "WEB-MISC convert.bas access"
}
signature sid-1128 {
@@ -5255,7 +5255,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][cC][rR][iI][pP][tT][sS][\/\\][cC][pP][sS][hH][oO][sS][tT]\.[dD][lL][lL]/
- msg "WEB-MISC cpshost.dll access"
+ event "WEB-MISC cpshost.dll access"
}
signature sid-1129 {
@@ -5264,7 +5264,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC .htaccess access"
+ event "WEB-MISC .htaccess access"
payload /.*\.[hH][tT][aA][cC][cC][eE][sS][sS]/
}
@@ -5275,7 +5275,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[wW][wW][wW][aA][cC][lL]/
- msg "WEB-MISC .wwwacl access"
+ event "WEB-MISC .wwwacl access"
}
signature sid-1131 {
@@ -5285,7 +5285,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[wW][wW][wW]_[aA][cC][lL]/
- msg "WEB-MISC .wwwacl access"
+ event "WEB-MISC .wwwacl access"
}
signature sid-1134 {
@@ -5295,7 +5295,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]\.[pP][hH][pP]3/
- msg "WEB-MISC Phorum admin access"
+ event "WEB-MISC Phorum admin access"
}
signature sid-1136 {
@@ -5304,7 +5304,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC cd.."
+ event "WEB-MISC cd.."
payload /.*[cC][dD]\.\./
}
@@ -5314,7 +5314,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC Phorum auth access"
+ event "WEB-MISC Phorum auth access"
payload /.*[pP][hH][pP]_[aA][uU][tT][hH]_[uU][sS][eE][rR]=[bB][oO][oO][gG][iI][eE][mM][aA][nN]/
}
@@ -5325,7 +5325,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][gG][uU][eE][sS][tT][bB][oO][oO][kK]\.[pP][lL]/
- msg "WEB-MISC guestbook.pl access"
+ event "WEB-MISC guestbook.pl access"
}
signature sid-1613 {
@@ -5336,7 +5336,7 @@
tcp-state originator,established
http /.*[\/\\][hH][aA][nN][dD][lL][eE][rR]/
http /.*\|/
- msg "WEB-MISC handler attempt"
+ event "WEB-MISC handler attempt"
}
signature sid-1141 {
@@ -5346,7 +5346,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][hH][aA][nN][dD][lL][eE][rR]/
- msg "WEB-MISC handler access"
+ event "WEB-MISC handler access"
}
signature sid-1142 {
@@ -5355,7 +5355,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC /...."
+ event "WEB-MISC /...."
payload /.*\x2f\x2e\x2e\x2e\x2e/
}
@@ -5366,7 +5366,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][\/\\][\/\\][cC][gG][iI]-[bB][iI][nN]/
- msg "WEB-MISC ///cgi-bin"
+ event "WEB-MISC ///cgi-bin"
}
signature sid-1144 {
@@ -5376,7 +5376,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[bB][iI][nN][\/\\][\/\\][\/\\]/
- msg "WEB-MISC /cgi-bin/// access"
+ event "WEB-MISC /cgi-bin/// access"
}
signature sid-1145 {
@@ -5386,7 +5386,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]~[rR][oO][oO][tT]/
- msg "WEB-MISC /~root access"
+ event "WEB-MISC /~root access"
}
signature sid-1662 {
@@ -5396,7 +5396,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]~[rR][oO][oO][tT]/
- msg "WEB-MISC /~ftp access"
+ event "WEB-MISC /~ftp access"
}
signature sid-1146 {
@@ -5406,7 +5406,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][nN][fF][iI][gG][\/\\][iI][mM][pP][oO][rR][tT]\.[tT][xX][tT]/
- msg "WEB-MISC Ecommerce import.txt access"
+ event "WEB-MISC Ecommerce import.txt access"
}
signature sid-1147 {
@@ -5415,7 +5415,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC cat%20 access"
+ event "WEB-MISC cat%20 access"
payload /.*[cC][aA][tT]%20/
}
@@ -5426,7 +5426,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][oO][rR][dD][eE][rR][sS][\/\\][iI][mM][pP][oO][rR][tT]\.[tT][xX][tT]/
- msg "WEB-MISC Ecommerce import.txt access"
+ event "WEB-MISC Ecommerce import.txt access"
}
signature sid-1150 {
@@ -5436,7 +5436,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][tT][aA][lL][oO][gG]\.[nN][sS][fF]/
- msg "WEB-MISC Domino catalog.nsf access"
+ event "WEB-MISC Domino catalog.nsf access"
}
signature sid-1151 {
@@ -5446,7 +5446,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][oO][mM][cC][fF][gG]\.[nN][sS][fF]/
- msg "WEB-MISC Domino domcfg.nsf access"
+ event "WEB-MISC Domino domcfg.nsf access"
}
signature sid-1152 {
@@ -5456,7 +5456,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][dD][oO][mM][lL][oO][gG]\.[nN][sS][fF]/
- msg "WEB-MISC Domino domlog.nsf access"
+ event "WEB-MISC Domino domlog.nsf access"
}
signature sid-1153 {
@@ -5466,7 +5466,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][lL][oO][gG]\.[nN][sS][fF]/
- msg "WEB-MISC Domino log.nsf access"
+ event "WEB-MISC Domino log.nsf access"
}
signature sid-1154 {
@@ -5476,7 +5476,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][aA][mM][eE][sS]\.[nN][sS][fF]/
- msg "WEB-MISC Domino names.nsf access"
+ event "WEB-MISC Domino names.nsf access"
}
signature sid-1575 {
@@ -5486,7 +5486,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][bB]\.[nN][sS][fF]/
- msg "WEB-MISC Domino mab.nsf access"
+ event "WEB-MISC Domino mab.nsf access"
}
signature sid-1576 {
@@ -5496,7 +5496,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][eE][rR][sS][vV][rR]\.[nN][sS][fF]/
- msg "WEB-MISC Domino cersvr.nsf access"
+ event "WEB-MISC Domino cersvr.nsf access"
}
signature sid-1577 {
@@ -5506,7 +5506,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][eE][tT][uU][pP]\.[nN][sS][fF]/
- msg "WEB-MISC Domino setup.nsf access"
+ event "WEB-MISC Domino setup.nsf access"
}
signature sid-1578 {
@@ -5516,7 +5516,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][tT][aA][tT][rR][eE][pP]\.[nN][sS][fF]/
- msg "WEB-MISC Domino statrep.nsf access"
+ event "WEB-MISC Domino statrep.nsf access"
}
signature sid-1579 {
@@ -5526,7 +5526,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][eE][bB][aA][dD][mM][iI][nN]\.[nN][sS][fF]/
- msg "WEB-MISC Domino webadmin.nsf access"
+ event "WEB-MISC Domino webadmin.nsf access"
}
signature sid-1580 {
@@ -5536,7 +5536,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][vV][eE][nN][tT][sS]4\.[nN][sS][fF]/
- msg "WEB-MISC Domino events4.nsf access"
+ event "WEB-MISC Domino events4.nsf access"
}
signature sid-1581 {
@@ -5546,7 +5546,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][nN][tT][sS][yY][nN][cC]4\.[nN][sS][fF]/
- msg "WEB-MISC Domino ntsync4.nsf access"
+ event "WEB-MISC Domino ntsync4.nsf access"
}
signature sid-1582 {
@@ -5556,7 +5556,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][lL][lL][eE][cC][tT]4\.[nN][sS][fF]/
- msg "WEB-MISC Domino collect4.nsf access"
+ event "WEB-MISC Domino collect4.nsf access"
}
signature sid-1583 {
@@ -5566,7 +5566,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][iI][lL][wW]46\.[nN][sS][fF]/
- msg "WEB-MISC Domino mailw46.nsf access"
+ event "WEB-MISC Domino mailw46.nsf access"
}
signature sid-1584 {
@@ -5576,7 +5576,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][oO][oO][kK][mM][aA][rR][kK]\.[nN][sS][fF]/
- msg "WEB-MISC Domino bookmark.nsf access"
+ event "WEB-MISC Domino bookmark.nsf access"
}
signature sid-1585 {
@@ -5586,7 +5586,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][gG][eE][nN][tT][rR][uU][nN][nN][eE][rR]\.[nN][sS][fF]/
- msg "WEB-MISC Domino agentrunner.nsf access"
+ event "WEB-MISC Domino agentrunner.nsf access"
}
signature sid-1586 {
@@ -5596,7 +5596,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][iI][lL]\.[bB][oO][xX]/
- msg "WEB-MISC Domino mail.box access"
+ event "WEB-MISC Domino mail.box access"
}
signature sid-1155 {
@@ -5606,7 +5606,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][oO][rR][dD][eE][rR][sS][\/\\][cC][hH][eE][cC][kK][sS]\.[tT][xX][tT]/
- msg "WEB-MISC Ecommerce checks.txt access"
+ event "WEB-MISC Ecommerce checks.txt access"
}
signature sid-1156 {
@@ -5615,7 +5615,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC apache DOS attempt"
+ event "WEB-MISC apache DOS attempt"
payload /.*\x2f\x2f\x2f\x2f\x2f\x2f\x2f\x2f/
}
@@ -5626,7 +5626,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][sS][uU][sS][eE][rR][\/\\][pP][sS][cC][oO][eE][rR][rR][pP][aA][gG][eE]\.[hH][tT][mM]\?/
- msg "WEB-MISC netscape PublishingXpert 2 Exploit"
+ event "WEB-MISC netscape PublishingXpert 2 Exploit"
}
signature sid-1158 {
@@ -5636,7 +5636,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][iI][nN][dD][mM][aA][iI][lL]\.[eE][xX][eE]/
- msg "WEB-MISC windmail access"
+ event "WEB-MISC windmail access"
}
signature sid-1159 {
@@ -5645,7 +5645,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC webplus access"
+ event "WEB-MISC webplus access"
payload /.*[wW][eE][bB][pP][lL][uU][sS]\?[sS][cC][rR][iI][pP][tT]/
}
@@ -5655,7 +5655,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC netscape dir index wp"
+ event "WEB-MISC netscape dir index wp"
payload /.*\?[wW][pP]-/
}
@@ -5666,7 +5666,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]passwd\.php3/
- msg "WEB-MISC piranha passwd.php3 access"
+ event "WEB-MISC piranha passwd.php3 access"
}
signature sid-1162 {
@@ -5676,7 +5676,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC]32[wW][eE][bB]\.[eE][xX][eE][\/\\][cC][hH][aA][nN][gG][eE][aA][dD][mM][iI][nN][pP][aA][sS][sS][wW][oO][rR][dD]/
- msg "WEB-MISC cart 32 AdminPwd access"
+ event "WEB-MISC cart 32 AdminPwd access"
}
signature sid-1164 {
@@ -5686,7 +5686,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][qQ][uU][iI][kK][sS][tT][oO][rR][eE]\.[cC][fF][gG]/
- msg "WEB-MISC shopping cart access access"
+ event "WEB-MISC shopping cart access access"
}
signature sid-1614 {
@@ -5695,7 +5695,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC novell groupwise gwweb.exe attempt"
+ event "WEB-MISC novell groupwise gwweb.exe attempt"
payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]\?[hH][eE][lL][pP]=/
}
@@ -5705,7 +5705,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC novell groupwise gwweb.exe access"
+ event "WEB-MISC novell groupwise gwweb.exe access"
payload /.*\/[gG][wW][wW][eE][bB]\.[eE][xX][eE]/
}
@@ -5716,7 +5716,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][sS]_[fF][tT][pP]\.[iI][nN][iI]/
- msg "WEB-MISC ws_ftp.ini access"
+ event "WEB-MISC ws_ftp.ini access"
}
signature sid-1167 {
@@ -5726,7 +5726,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][mM][pP]_[qQ][uU][eE][rR][yY]/
- msg "WEB-MISC rpm_query access"
+ event "WEB-MISC rpm_query access"
}
signature sid-1168 {
@@ -5736,7 +5736,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][aA][lL][lL]_[lL][oO][gG]_[fF][iI][lL][eE][sS][\/\\][oO][rR][dD][eE][rR]\.[lL][oO][gG]/
- msg "WEB-MISC mall log order access"
+ event "WEB-MISC mall log order access"
}
signature sid-1173 {
@@ -5746,7 +5746,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][wW][sS][\/\\][aA][rR][cC][hH][iI][tT][eE][xX][tT]_[qQ][uU][eE][rR][yY]\.[pP][lL]/
- msg "WEB-MISC architext_query.pl access"
+ event "WEB-MISC architext_query.pl access"
}
signature sid-1175 {
@@ -5756,7 +5756,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][wW][wW][wW][bB][oO][aA][rR][dD]\.[pP][lL]/
- msg "WEB-MISC wwwboard.pl access"
+ event "WEB-MISC wwwboard.pl access"
}
signature sid-1176 {
@@ -5766,7 +5766,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]_[fF][iI][lL][eE][sS][\/\\][oO][rR][dD][eE][rR]\.[lL][oO][gG]/
- msg "WEB-MISC order.log access"
+ event "WEB-MISC order.log access"
}
signature sid-1177 {
@@ -5776,7 +5776,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[vV][eE][rR][iI][fF][yY]-[lL][iI][nN][kK]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1178 {
@@ -5786,7 +5786,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][eE][aA][dD]\.[pP][hH][pP]3/
- msg "WEB-MISC Phorum read access"
+ event "WEB-MISC Phorum read access"
}
signature sid-1179 {
@@ -5796,7 +5796,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][vV][iI][oO][lL][aA][tT][iI][oO][nN]\.[pP][hH][pP]3/
- msg "WEB-MISC Phorum violation access"
+ event "WEB-MISC Phorum violation access"
}
signature sid-1180 {
@@ -5806,7 +5806,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][gG][eE][tT]32\.[eE][xX][eE]/
- msg "WEB-MISC get32.exe access"
+ event "WEB-MISC get32.exe access"
}
signature sid-1587 {
@@ -5816,7 +5816,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI][tT][eE][sS][tT]\.[eE][xX][eE]/
- msg "WEB-MISC cgitest.exe access"
+ event "WEB-MISC cgitest.exe access"
}
signature sid-1183 {
@@ -5826,7 +5826,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[cC][sS]-[dD][uU][mM][pP]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1184 {
@@ -5836,7 +5836,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[vV][eE][rR]-[iI][nN][fF][oO]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1186 {
@@ -5846,7 +5846,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[vV][eE][rR]-[dD][iI][fF][fF]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1187 {
@@ -5856,7 +5856,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][lL][xX][wW][eE][bB]\.[dD][lL][lL][\/\\][aA][dD][mM][iI][nN]\?[cC][oO][mM][mM][aA][nN][dD]=/
- msg "WEB-MISC SalesLogix Eviewer web command attempt"
+ event "WEB-MISC SalesLogix Eviewer web command attempt"
}
signature sid-1588 {
@@ -5866,7 +5866,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][sS][lL][xX][wW][eE][bB]\.[dD][lL][lL]/
- msg "WEB-MISC SalesLogix Eviewer access"
+ event "WEB-MISC SalesLogix Eviewer access"
}
signature sid-1188 {
@@ -5876,7 +5876,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[sS][tT][aA][rR][tT]-[vV][eE][rR]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1189 {
@@ -5886,7 +5886,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[sS][tT][oO][pP]-[vV][eE][rR]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1190 {
@@ -5896,7 +5896,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[uU][nN][cC][hH][eE][cC][kK][oO][uU][tT]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1191 {
@@ -5906,7 +5906,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[hH][tT][mM][lL]-[rR][eE][nN][dD]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1381 {
@@ -5918,7 +5918,7 @@
http /.*[\/\\][oO][fF][fF][iI][cC][eE][sS][cC][aA][nN][\/\\][cC][gG][iI][\/\\][jJ][dD][kK][rR][qQ][nN][oO][tT][iI][fF][yY]\.[eE][xX][eE]\?/
http /.*[dD][oO][mM][aA][iI][nN]=/
http /.*[eE][vV][eE][nN][tT]=/
- msg "WEB-MISC Trend Micro OfficeScan attempt"
+ event "WEB-MISC Trend Micro OfficeScan attempt"
}
signature sid-1192 {
@@ -5928,7 +5928,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][oO][fF][fF][iI][cC][eE][sS][cC][aA][nN][\/\\][cC][gG][iI][\/\\][jJ][dD][kK][rR][qQ][nN][oO][tT][iI][fF][yY]\.[eE][xX][eE]/
- msg "WEB-MISC Trend Micro OfficeScan access"
+ event "WEB-MISC Trend Micro OfficeScan access"
}
signature sid-1193 {
@@ -5939,7 +5939,7 @@
tcp-state originator,established
http /.*[\/\\][oO][wW][sS]-[bB][iI][nN][\/\\]/
http /.*\?&/
- msg "WEB-MISC oracle web listener batch access"
+ event "WEB-MISC oracle web listener batch access"
}
signature sid-1197 {
@@ -5949,7 +5949,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][oO][dD][eE]\.[pP][hH][pP]3/
- msg "WEB-MISC Phorum code access"
+ event "WEB-MISC Phorum code access"
}
signature sid-1198 {
@@ -5959,7 +5959,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\?[wW][pP]-[uU][sS][rR]-[pP][rR][oO][pP]/
- msg "WEB-MISC Netscape Enterprise Server directory view"
+ event "WEB-MISC Netscape Enterprise Server directory view"
}
signature sid-1202 {
@@ -5969,7 +5969,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]search\.vts/
- msg "WEB-MISC search.vts access"
+ event "WEB-MISC search.vts access"
}
signature sid-1615 {
@@ -5979,7 +5979,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]htgrep/
- msg "WEB-MISC htgrep attempt"
+ event "WEB-MISC htgrep attempt"
payload /.*hdr=\//
}
@@ -5990,7 +5990,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]htgrep/
- msg "WEB-MISC htgrep access"
+ event "WEB-MISC htgrep access"
}
signature sid-1209 {
@@ -6000,7 +6000,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]\.nsconfig/
- msg "WEB-MISC .nsconfig access"
+ event "WEB-MISC .nsconfig access"
}
signature sid-1212 {
@@ -6010,7 +6010,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]_[fF][iI][lL][eE][sS]/
- msg "WEB-MISC Admin_files access"
+ event "WEB-MISC Admin_files access"
}
signature sid-1213 {
@@ -6020,7 +6020,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][bB][aA][cC][kK][uU][pP]/
- msg "WEB-MISC backup access"
+ event "WEB-MISC backup access"
}
signature sid-1214 {
@@ -6030,7 +6030,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][iI][nN][tT][rR][aA][nN][eE][tT][\/\\]/
- msg "WEB-MISC intranet access"
+ event "WEB-MISC intranet access"
}
signature sid-1216 {
@@ -6040,7 +6040,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][iI][lL][eE][mM][aA][iI][lL]/
- msg "WEB-MISC filemail access"
+ event "WEB-MISC filemail access"
}
signature sid-1217 {
@@ -6050,7 +6050,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][pP][lL][uU][sS][mM][aA][iI][lL]/
- msg "WEB-MISC plusmail access"
+ event "WEB-MISC plusmail access"
}
signature sid-1218 {
@@ -6060,7 +6060,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN][lL][oO][gG][iI][nN]/
- msg "WEB-MISC adminlogin access"
+ event "WEB-MISC adminlogin access"
}
signature sid-1220 {
@@ -6070,7 +6070,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][uU][lL][tT][rR][aA][bB][oO][aA][rR][dD]/
- msg "WEB-MISC ultraboard access"
+ event "WEB-MISC ultraboard access"
}
signature sid-1589 {
@@ -6080,7 +6080,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][mM][pP][oO][wW][eE][rR]\?[dD][bB]=/
- msg "WEB-MISC musicat empower attempt"
+ event "WEB-MISC musicat empower attempt"
}
signature sid-1221 {
@@ -6090,7 +6090,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][eE][mM][pP][oO][wW][eE][rR]/
- msg "WEB-MISC musicat empower access"
+ event "WEB-MISC musicat empower access"
}
signature sid-1224 {
@@ -6100,7 +6100,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][rR][oO][aA][dD][sS][\/\\][cC][gG][iI]-[bB][iI][nN][\/\\][sS][eE][aA][rR][cC][hH]\.[pP][lL]/
- msg "WEB-MISC ROADS search.pl attempt"
+ event "WEB-MISC ROADS search.pl attempt"
payload /.*[fF][oO][rR][mM]=/
}
@@ -6111,7 +6111,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][tT][pP][sS][aA][vV][eE]\.[dD][lL][lL]/
- msg "WEB-MISC VirusWall FtpSave access"
+ event "WEB-MISC VirusWall FtpSave access"
}
signature sid-1231 {
@@ -6121,7 +6121,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][tT][iI][nN][fF][oO]/
- msg "WEB-MISC VirusWall access"
+ event "WEB-MISC VirusWall access"
}
signature sid-1234 {
@@ -6131,7 +6131,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][tT][pP][sS][aA][vV][eE][cC][sS][pP]\.[dD][lL][lL]/
- msg "WEB-MISC VirusWall FtpSaveCSP access"
+ event "WEB-MISC VirusWall FtpSaveCSP access"
}
signature sid-1235 {
@@ -6141,7 +6141,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][fF][tT][pP][sS][aA][vV][eE][cC][vV][pP]\.[dD][lL][lL]/
- msg "WEB-MISC VirusWall FtpSaveCVP access"
+ event "WEB-MISC VirusWall FtpSaveCVP access"
}
signature sid-1236 {
@@ -6151,7 +6151,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[jJ][sS]%2570/
- msg "WEB-MISC Tomcat sourcode view"
+ event "WEB-MISC Tomcat sourcode view"
}
signature sid-1237 {
@@ -6161,7 +6161,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.[jJ]%2573[pP]/
- msg "WEB-MISC Tomcat sourcode view"
+ event "WEB-MISC Tomcat sourcode view"
}
signature sid-1238 {
@@ -6171,7 +6171,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*\.%256[aA][sS][pP]/
- msg "WEB-MISC Tomcat sourcode view"
+ event "WEB-MISC Tomcat sourcode view"
}
signature sid-1241 {
@@ -6181,7 +6181,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]SWEditServlet/
- msg "WEB-MISC SWEditServlet directory traversal attempt"
+ event "WEB-MISC SWEditServlet directory traversal attempt"
payload /.*template=\.\.\/\.\.\/\.\.\//
}
@@ -6192,7 +6192,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]SWEditServlet/
- msg "WEB-MISC SWEditServlet access"
+ event "WEB-MISC SWEditServlet access"
}
signature sid-1139 {
@@ -6201,7 +6201,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC whisker HEAD/./"
+ event "WEB-MISC whisker HEAD/./"
payload /.*HEAD\/\.\//
}
@@ -6211,7 +6211,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC PHPLIB remote command attempt"
+ event "WEB-MISC PHPLIB remote command attempt"
payload /.*_PHPLIB\[libdir\]/
}
@@ -6222,7 +6222,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]graphics[\/\\]sml3com/
- msg "WEB-MISC sml3com access"
+ event "WEB-MISC sml3com access"
}
signature sid-1001 {
@@ -6232,7 +6232,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][aA][rR][bB][oO]\.[dD][lL][lL]/
- msg "WEB-MISC carbo.dll access"
+ event "WEB-MISC carbo.dll access"
payload /.*[iI][cC][aA][tT][cC][oO][mM][mM][aA][nN][dD]=/
}
@@ -6243,7 +6243,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]\.[pP][hH][pP]/
- msg "WEB-MISC admin.php file upload attempt"
+ event "WEB-MISC admin.php file upload attempt"
payload /.*[fF][iI][lL][eE]_[nN][aA][mM][eE]=/
}
@@ -6254,7 +6254,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][aA][dD][mM][iI][nN]\.[pP][hH][pP]/
- msg "WEB-MISC admin.php access"
+ event "WEB-MISC admin.php access"
}
signature sid-1302 {
@@ -6264,7 +6264,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[bB][iI][nN][\/\\][cC][oO][nN][sS][oO][lL][eE]\.[eE][xX][eE]/
- msg "WEB-MISC console.exe access"
+ event "WEB-MISC console.exe access"
}
signature sid-1303 {
@@ -6274,7 +6274,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][cC][gG][iI]-[bB][iI][nN][\/\\][cC][sS]\.[eE][xX][eE]/
- msg "WEB-MISC cs.exe access"
+ event "WEB-MISC cs.exe access"
}
signature sid-1113 {
@@ -6283,7 +6283,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC http directory traversal"
+ event "WEB-MISC http directory traversal"
payload /.*\.\.\//
}
@@ -6294,7 +6294,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]%3f\.jsp/
- msg "WEB-MISC jrun directory browse attempt"
+ event "WEB-MISC jrun directory browse attempt"
}
signature sid-1385 {
@@ -6304,7 +6304,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]admin_[\/\\]/
- msg "WEB-MISC mod-plsql administration access"
+ event "WEB-MISC mod-plsql administration access"
}
signature sid-1391 {
@@ -6313,7 +6313,7 @@
header ip[16:4] == 128.3.0.0/16,131.243.0.0/16
header tcp[2:2] == 80
tcp-state originator,established
- msg "WEB-MISC Phorecast remote code execution attempt"
+ event "WEB-MISC Phorecast remote code execution attempt"
payload /.*includedir=/
}
@@ -6324,7 +6324,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]viewcode/
- msg "WEB-MISC viewcode access"
+ event "WEB-MISC viewcode access"
}
signature sid-1404 {
@@ -6334,7 +6334,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]showcode/
- msg "WEB-MISC showcode access"
+ event "WEB-MISC showcode access"
}
signature sid-1407 {
@@ -6344,7 +6344,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]smssend\.php/
- msg "WEB-MISC smssend.php access"
+ event "WEB-MISC smssend.php access"
}
signature sid-1399 {
@@ -6354,7 +6354,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[iI][nN][dD][eE][xX]\.[pP][hH][pP]/
- msg "WEB-MISC PHP-Nuke remote file include attempt"
+ event "WEB-MISC PHP-Nuke remote file include attempt"
payload /.*[fF][iI][lL][eE]=[hH][tT][tT][pP]:\/\//
}
@@ -6365,7 +6365,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]\.history/
- msg "WEB-MISC .history access"
+ event "WEB-MISC .history access"
}
signature sid-1434 {
@@ -6375,7 +6375,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]\.bash_history/
- msg "WEB-MISC .bash_history access"
+ event "WEB-MISC .bash_history access"
}
signature sid-1489 {
@@ -6385,7 +6385,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]~nobody/
- msg "WEB-MISC /~nobody access"
+ event "WEB-MISC /~nobody access"
}
signature sid-1490 {
@@ -6395,7 +6395,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]support[\/\\]common\.php/
- msg "WEB-MISC phorum /support/common.php attempt"
+ event "WEB-MISC phorum /support/common.php attempt"
payload /.*ForumLang=\.\.\//
}
@@ -6406,7 +6406,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]support[\/\\]common\.php/
- msg "WEB-MISC phorum /support/common.php access"
+ event "WEB-MISC phorum /support/common.php access"
}
signature sid-1492 {
@@ -6416,7 +6416,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]newuser\?Image=\.\.[\/\\]\.\./
- msg "WEB-MISC RBS ISP /newuser directory traversal attempt"
+ event "WEB-MISC RBS ISP /newuser directory traversal attempt"
}
signature sid-1493 {
@@ -6426,7 +6426,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]newuser/
- msg "WEB-MISC RBS ISP /newuser access"
+ event "WEB-MISC RBS ISP /newuser access"
}
signature sid-1663 {
@@ -6436,7 +6436,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\]\*%0[aA]\.[pP][lL]/
- msg "WEB-MISC *%0a.pl access"
+ event "WEB-MISC *%0a.pl access"
}
signature sid-1664 {
@@ -6446,7 +6446,7 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][kK][pP][lL][oO][gG]\.[eE][xX][eE]/
- msg "WEB-MISC mkplog.exe access"
+ event "WEB-MISC mkplog.exe access"
}
signature sid-1665 {
@@ -6456,6 +6456,6 @@
header tcp[2:2] == 80
tcp-state originator,established
http /.*[\/\\][mM][kK][iI][lL][oO][gG]\.[eE][xX][eE]/
- msg "WEB-MISC mkilog.exe access"
+ event "WEB-MISC mkilog.exe access"
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030916/fbe5c881/attachment.bin
More information about the Bro
mailing list