01739 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"FILE-JAVA Oracle Java Runtime Environment Pack200 Decompression Integer Overflow"; flow:to_client,established; content:"Content-Encoding: pack200-gz",nocase; content:"|9A 10 3A C7 39 E2 E6 DE BE F7 71 BA 7C 22 5E D7|"; content:"|49 F4 EF C7 73 9F 9B 9C 8B 32 A7 88 58 FF 13 31|"; metadata:policy balanced-ips drop,policy security-ips drop,service http,service imap,service pop3; reference:bugtraq,34240; reference:cve,2009-1095; classtype:attempted-user; sid:17522; rev:6; service:http; service:imap; service:pop3; )
02398 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows 7/Server 2008R2"; flow:established; content:"Microsoft Windows",depth 18; content:"Copyright |28|c|29| 2009",distance 0; content:"Microsoft Corporation",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18756; rev:4; )
02399 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner Windows Vista"; flow:established; content:"Microsoft Windows",depth 18; content:"Copyright |28|c|29| 2006",distance 0; content:"Microsoft Corporation",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:18757; rev:3; )
02400 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows",depth 18; content:"|28|C|29| Copyright 1985-",distance 0; content:"Microsoft Corp.",distance 0; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:7; )
02401 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community; classtype:successful-user; sid:2412; rev:8; )
02476 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:14986; rev:5; )
02478 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder"; content:"|D9 EE D9 74 24 F4|"; content:"|81|",distance 1; content:"|13|",distance 1; content:"|83|",distance 1; content:"|FC E2 F4|",distance 1; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17322; rev:2; )
02479 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped"; content:"unescape"; content:"%ud9ee%u2474%u"; content:"%uf4e2",distance 18; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17323; rev:2; )
02480 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 Linux reverse connect shellcode"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17324; rev:2; )
02481 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder variant"; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17325; rev:2; )
02482 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder"; content:"|D9 E1 D9 34 24|"; content:"|E7 31 C9 66 81 E9|",distance 6; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17335; rev:2; )
02483 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic call geteip byte xor decoder"; content:"|EB 10|"; content:"|31 C9 66 81 E9|",distance 1; content:"|E2 FA EB 05 E8 EB FF FF FF|",distance 5; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17336; rev:2; )
02484 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 Microsoft Win32 export table enumeration variant"; content:"|8B 6C 24 24 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17337; rev:4; )
02485 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 Microsoft Windows 32-bit SEH get EIP technique"; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17338; rev:3; )
02486 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 generic OS alpha numeric mixed case decoder"; content:"jAXP0A0AkAAQ2AB2BB0BBABXP8ABu"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17339; rev:2; )
02487 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8AC"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17340; rev:3; )
02488 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|",distance 1; content:"03 0c 24 6a 04",distance 1; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17341; rev:2; )
02489 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; content:"j|00|X|00|A|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|A|00|R|00|A|00|L|00|A|00|Y|00|A|00|I|00|A|00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17342; rev:2; )
02490 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"Q|00|A|00|T|00|A|00|X|00|A|00|Z|00|A|00|P|00|U|00|3|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17343; rev:2; )
02491 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic xor dword decoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|83 EE FC E2 F4|",distance 4; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17344; rev:2; )
02492 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:17345; rev:3; )
02495 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic single-byte xor countodwn encoder"; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19281; rev:2; )
02496 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic cpuid-based context keyed encoder"; content:"|31 F6 31 FF 89 F8 31 C9 0F A2 31 C6 39 F0 75 03 8D 78 01 31|"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19282; rev:2; )
02497 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic stat-based context keyed encoder"; content:"|D9 EE D9 74 24 F4 5B|",fast_pattern; byte_jump:1,1,relative; content:"|83 C3 09 8D 53|",within 5; content:"|31 C0 88 02 8D 4C 24 A8|",within 8,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19283; rev:2; )
02498 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic time-based context keyed encoder"; content:"|31 DB 8D 43 0D CD 80 66 31 C0|",fast_pattern; content:"|D9 74 24 F4|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19284; rev:2; )
02499 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic non-alpha/non-upper encoder"; content:"|66 B9 FF FF EB 19 5E 8B FE 83 C7|",fast_pattern; content:"|8B D7 3B F2 7D 0B B0 7B F2 AE FF|",within 11,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19285; rev:2; )
02500 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode uppercase encoder"; content:"1AYAZBABABABAB30APB944JB"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19286; rev:2; )
02501 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed encoder"; content:"YAZBABABABABkMAGB9u4JB"; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19287; rev:2; )
02502 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|",within 9,distance 1,fast_pattern; content:"|03 0C 24 6A 04|",within 5,distance 1; content:"|5F 29 39 03 0C 24|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:19288; rev:2; )
02504 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_fs_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_fs_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_fs_(separator|search|file_expand_path|md5|sha1|delete_file|stat|ls|chdir|mkdir|getwd|delete_dir)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20185; rev:2; )
02505 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_process_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_process_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_process_(thread_open|thread_create|thread_get_threads|image_load|image_get_proc_address|image_unload|image_get_images|memory_allocate|memory_free|memory_read|memory_write|memory_query|memory_protect|memory_lock|memory_unlock|attach|execute|kill|getpid|get_processes|close|wait|get_info|thread_suspend|thread_resume|thread_terminate|thread_query_regs|thread_set_regs|thread_close)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20186; rev:2; )
02506 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_eventlog_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_eventlog_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_eventlog_(open|numrecords|read|oldest|clear|close)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20187; rev:2; )
02507 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_config_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_config_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_config_(getuid|sysinfo|rev2self|steal_token|drop_token|getprivs)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20188; rev:2; )
02508 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_ui_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_ui_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_ui_(enable_keyboard|enable_mouse|get_idle_time|desktop_enum|desktop_get|desktop_set|desktop_screenshot|unlock_desktop|start_keyscan|stop_keyscan|get_keys)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20189; rev:2; )
02509 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_registry_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_registry_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_registry_(load_key|unload_key|open_key|open_remote_key|create_key|delete_key|close_key|enum_key|set_value|query_value|delete_value|query_class|enum_value)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20190; rev:2; )
02510 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_net_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_net_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_net_(config_get_interfaces|config_get_routes|config_add_route|config_remove_route|udp_client|tcp_server|tcp_client|socket_tcp_shutdown)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20191; rev:2; )
02511 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter incognito_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|incognito_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01incognito_(list_tokens|impersonate_token|add_user|add_group_user|add_localgroup_user|snarf_hashes)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20192; rev:2; )
02512 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter webcam_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|webcam_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01webcam_(list|start|get_frame|stop|audio_record)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20193; rev:2; )
02513 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter sniffer_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|sniffer_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01sniffer_(interfaces|capture_start|capture_stop|capture_stats|capture_dump|capture_dump_read)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20194; rev:2; )
02514 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter priv_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|priv_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01priv_(elevate_getsystem|passwd_get_sam_hashes|fs_get_file_mace|fs_set_file_mace|fs_set_file_mace_from_file|fs_blank_file_mace|fs_blank_directory_mace)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20195; rev:2; )
02515 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter lanattacks_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|lanattacks_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01lanattacks_(start_dhcp|reset_dhcp|set_dhcp_option|stop_dhcp|dhcp_log|start_tftp|reset_tftp|add_tftp_file|stop_tftp)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20196; rev:2; )
02516 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter espia_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|espia_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01espia_(video_get_dev_image|audio_get_dev_audio|image_get_dev_screen)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20197; rev:2; )
02517 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter networkpug_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|networkpug_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01networkpug_(start|stop)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20198; rev:2; )
02518 alert tcp any any -> any any ( msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_railgun_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_railgun_"; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_railgun_(memread|memwrite|api_multi|api)/"; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20199; rev:2; )
02519 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 OS agnostic single_static_bit encoder"; content:"|80 F9|"; content:"|74|",within 1,distance 1; content:"|60 83 E9 01 74 06 B3 02 F6 F3 E2|",within 11,distance 1; content:"|83 E0 01 6B 2F 02 09 E8 AA 61 83 ED FF 83 FD 08 75|",within 17,distance 1; content:"|83 EF FF 31 ED|",within 5,distance 1; metadata:policy balanced-ips drop,policy security-ips drop; classtype:shellcode-detect; sid:20989; rev:2; )
02524 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR ghost 2.3 runtime detection"; flow:to_client,established; content:"ver|3A|Ghost version ",depth 18,nocase; content:"server",distance 0,nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:url,www.megasecurity.org/trojans/g/ghost/Ghost2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=42053; classtype:trojan-activity; sid:7115; rev:6; )
02527 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR fearless lite 1.01 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.fearless.runtime; content:"Pass-On0",depth 8,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7112; rev:6; )
02528 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-BACKDOOR fearless lite 1.01 runtime detection"; flow:to_server,established; content:"Pass-On",depth 7,nocase; flowbits:set,backdoor.fearless.runtime; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7111; rev:8; )
02559 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd",depth 6; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1; service:http; )
02600 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Trojan.Zeus P2P outbound communication"; flow:to_server,established; dsize:20; content:"|E5 AA C0 31|",depth 4; content:"|5B 74 08 4D 9B 39 C1|",within 7,distance 5; metadata:policy balanced-ips alert,policy security-ips drop; reference:url,www.abuse.ch/?p=3499; reference:url,www.virustotal.com/file/771571422FD4D88A439773D18951B5D83FD1E927CF2970EFD5CCAC97DBB3AC50/analysis/; classtype:trojan-activity; sid:22048; rev:4; )
02699 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Idicaf.B outbound connection"; flow:to_server,established; dsize:732; content:"F335|00 00 00 00|",depth 8,offset 16; content:"Service|20|Pack",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=06f65e782ca9a306f81dc26265ea25a1fe820d6333fbdd64004f60d599601513-1312545424; classtype:trojan-activity; sid:19732; rev:3; )
02722 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: ( msg:"MALWARE-CNC Win.Trojan.XYTvn.A outbound connection"; flow:to_server,established; content:"XYTvn",depth 5,fast_pattern; content:"|00 00|",within 2,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file-scan/report.html?id=be70ce81a9c241473d21c4d5a2250c1cb37b7bdbcea3bcf2ecf15742312c352a-1306259799; classtype:trojan-activity; sid:19358; rev:3; )
02778 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"<html><title>",depth 13; content:"</title><body>",within 48; content:!"</body>"; content:!"<head>"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21945; rev:6; service:http; )
02779 alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] ( msg:"MALWARE-CNC Win.Trojan.Litmpuca.A Runtime Detection"; flow:to_server,established; content:"|96 F4 F6 F6|",depth 64; isdataat:128,relative; content:"|FE F6 F0 F6|",within 384,distance 128; content:"|F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21946; rev:7; service:http; )
02784 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: ( msg:"MALWARE-CNC Win.Trojan.Msposer.A outbound connection"; flow:to_server,established; content:"Connected|3E|",depth 13,nocase; content:"AT Port|23|",within 16,distance 8,nocase; content:"|7C 3C 3E 7C|",within 8,distance 2; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/latest-report.html?resource=22C1887EC4E18E5800D1527CF5765372; classtype:trojan-activity; sid:19767; rev:3; )
02846 alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] ( msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"JOIN #rape anal"; content:"blaze"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service ircd; reference:url,www.virustotal.com/file/ab3a73bca380bfd055d27539cb2d131c8c3554835d4056282ce3271a590b27b2/analysis/; classtype:trojan-activity; sid:25016; rev:2; )
02847 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 ( msg:"MALWARE-CNC Win.Downloader.Recslurp variant outbound connection"; flow:to_server,established; dsize:10; content:"|20 00 05 00 00 00 06 00|",depth 10; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/682386A14177AFFA24ED3C034EF34E2414ABEE6C77C369F3055BBB1C6BD9D8F8/analysis/; classtype:trojan-activity; sid:25025; rev:3; )
02853 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/Post|2E|Php|3F|UserName"; content:"Bank=",nocase; content:"Money=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/file/7d70bdcf5329404920570c96e084c78d8756bff8932832a357866eb4c57555cf/analysis/; classtype:trojan-activity; sid:25074; rev:2; service:http; )
02906 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|01 00 00 00|",depth 4; content:"|00 00 00|Windows",within 11,distance 143; content:"MB",within 24,distance 48; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26118; rev:3; )
02922 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bydra variant outbound connection"; flow:to_server,established; dsize:32<>256; content:"|FF 01 DD CC|",depth 4; content:"|7C|Windows|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/de/file/302bcc38f03b5c4f31432dae242c8c61ec1d243eeeec315053bc6c0fe6f74488/analysis/; classtype:trojan-activity; sid:26604; rev:3; )
02923 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bydra variant outbound connection"; flow:to_server,established; dsize:32<>256; content:"|FF 01 DD CC|",depth 4; content:"|7C|Microsoft|20|"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/de/file/302bcc38f03b5c4f31432dae242c8c61ec1d243eeeec315053bc6c0fe6f74488/analysis/; classtype:trojan-activity; sid:26605; rev:3; )
02924 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sosork variant outbound connection"; flow:to_server,established; content:"GET /3010"; content:!"Accept"; pcre:"/^GET \x2F3010[0-9A-F]{166}00000001/"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/de/file/24E26943C43BBC57362EC1415114730C94DB9E356E3F4E6081453E924121BB11/analysis/; classtype:trojan-activity; sid:26606; rev:3; service:http; )
02927 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC OSX.Trojan.Dockster variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF C2 1F 96 9B 5F 03 D3 3D 43 E0 4F 8F 13 6E 76 82|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/file/97C8A6FFD5DAAD5822B929760C61F2A9EAAFB1CBDC1D0F895DF0E3219416BAE8/analysis/; classtype:trojan-activity; sid:26609; rev:2; )
02936 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Neshax variant outbound connection"; flow:to_server,established; content:"HORSE_ASSERT!",depth 13; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/de/file/5E57ED1ED3D180B1956787C5839F07DA509D6C68D8EA40BC3ED71C63F5003607/analysis/; classtype:trojan-activity; sid:26684; rev:2; )
02996 alert tcp $HOME_NET any -> $EXTERNAL_NET 10000:30000 ( msg:"MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established; content:"POST |2F|write HTTP|2F|1.1",depth 25; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service http; reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojan-activity; sid:26839; rev:1; service:http; )
03022 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|",depth 20; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1; service:http; )
03203 alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-LINUX Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt"; ip_proto:132; content:"|C0 00|",depth 2,offset 12; byte_test:2,>,500,0,relative,big; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,33113; reference:cve,2009-0065; classtype:attempted-admin; sid:15490; rev:4; )
03259 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"OS-MOBILE Android Androrat device information leakage"; flow:to_server, established; content:"sr|00 13|java.util.Hashtable"; content:"PhoneNumber"; content:"SimOperator"; content:"IMEI"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27116; rev:1; )
03260 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"OS-MOBILE Android Androrat sms message leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; content:"sr|00 10|Packet.SMSPacket"; content:"person"; content:"thread_id"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27117; rev:1; )
03261 alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"OS-MOBILE Android Androrat contact list leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; content:"sr|00 0D|utils.Contact"; content:"times_contacted"; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27118; rev:1; )
03374 alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP array size buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 01 87 88|",within 4,distance 4,fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|",distance 0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|",within 4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|",within 8; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16706; rev:3; )
03381 alert tcp $EXTERNAL_NET any -> $HOME_NET [749,1024:] ( msg:"PROTOCOL-RPC portmap 2112 tcp rename_principal attempt"; flow:to_server,established; content:"|00 00 08|@",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12187; rev:5; )
03383 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt"; flow:to_server,established; content:"|00 05 F3 E1|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13256; rev:5; )
03385 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC portmap 390113 tcp procedure 4 attempt"; flow:to_server,established; content:"|00 05 F3 E1|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst",within 11,distance 12; byte_test:4,>,234,5,relative; metadata:policy balanced-ips drop,policy security-ips drop,service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13252; rev:5; )
03390 alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}",depth 4,offset 16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../",distance 0; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community,service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:15; )
03391 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|",depth 4,offset 16; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy balanced-ips drop,policy security-ips drop,ruleset community,service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:20; )
03415 alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PUA-ADWARE Snoopware xpress remote outbound connection - init connection"; flow:to_client,established; content:"|01 00 01 00 03 00 01 00 14 00 01 01 01 00 DD DD DD DD 00 00 00 00|",depth 22; metadata:policy balanced-ips drop,policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XpressRemote&threatid=29388; classtype:successful-recon-limited; sid:13764; rev:4; )
03550 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE xdb.dbms_xmlschema buffer overflow attempt"; flow:to_server,established; content:"xdb.dbms_xmlschema.generateschema",nocase; pcre:"/\s*\x28(\x27[^\x27]{64}|\x27[^\x27]*\x27\s*,\s*\x27[^\x27]{64})/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,16287; reference:cve,2006-0272; classtype:string-detect; sid:17659; rev:4; )
03551 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Database REPCAT_RPC.VALIDATE_REMOTE_RC SQL injection attempt"; flow:to_server,established; content:"DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC",nocase; pcre:"/^\s*\x28[^\x2c]+\x2c[^\x2c]+?\x3b/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,35685; reference:cve,2009-1021; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html; classtype:attempted-admin; sid:16189; rev:4; )
03554 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE database server crafted view privelege escalation attempt"; flow:to_server, established; content:"CREATE VIEW",nocase; content:"FROM",distance 0,nocase; content:"sys.testtable t1, sys.testtable t2",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,17246; reference:cve,2006-1705; classtype:attempted-admin; sid:17619; rev:2; )
03555 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_ASSERT.simple_sql_name double quote SQL injection attempt"; flow:to_server,established; content:"DBMS_ASSERT.simple_sql_name|28|"; pcre:"/DBMS_ASSERT\x2Esimple_sql_name\x28[^\x29\x22]*?\x22/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,19203; classtype:misc-attack; sid:17590; rev:4; )
03556 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE UTL_FILE directory traversal attempt"; flow:to_server,established; content:"UTL_FILE.FOPEN",nocase; content:"|5C 5C 2E 5C|",distance 0,fast_pattern; pcre:"/UTL_FILE\.FOPEN\s*\x28(?P<q1>\x22|\x27).*?(?P=q1)[\s\x40]*\x2C[\s\x40]*[\x22\x27]\x5C\x5C\x2E\x5C/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,12749; reference:cve,2005-0701; classtype:misc-attack; sid:17584; rev:3; )
03557 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_ISUBSCRIBE.CREATE_SUBSCRIPTION(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17480; rev:4; )
03558 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_ISUBSCRIBE.SUBSCRIBE arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_ISUBSCRIBE.SUBSCRIBE(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17479; rev:4; )
03559 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_SUBSCRIBE.SUBSCRIBE arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_SUBSCRIBE.SUBSCRIBE(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17478; rev:4; )
03560 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_SUBSCRIBE.DROP_SUBSCRIPTION(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17477; rev:4; )
03561 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_SUBSCRIBE.PURGE_WINDOW arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_SUBSCRIBE.PURGE_WINDOW(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17476; rev:4; )
03562 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17475; rev:4; )
03563 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_SUBSCRIBE.CREATE_SUBSCRIPTION(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17474; rev:4; )
03564 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW arbitrary command execution attempt"; flow:to_server,established; content:"DBMS_CDC_SUBSCRIBE.EXTEND_WINDOW(|27 27 27 7C 7C|"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13236; reference:cve,2005-1197; classtype:misc-attack; sid:17473; rev:4; )
03565 alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle database SQL compiler read-only join auth bypass attempt"; flow:to_server, established; flowbits:isset, oracle.connect; content:"create view",fast_pattern,nocase; content:"as select",distance 0,nocase; content:"from sys.",distance 0,nocase; pcre:"/create view\s*[^\s]*\s*as select\s+([^\x2e]+)\x2e.*\1\x2E.*from sys\x2E[^\s]*\s*\1\x2C\s*sys\x2E[^\s]*\s*([^\s]+)\s*where\s*\1\x2e[^\s\x3D]+\s*\x3D\s*\2\x2E/smi"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-3855; classtype:attempted-user; sid:17419; rev:2; )
03566 alert tcp $HOME_NET $ORACLE_PORTS -> $EXTERNAL_NET any ( msg:"SERVER-ORACLE Oracle connection established"; flow:to_server, established; content:"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME="; flowbits:set,oracle.connect; flowbits:noalert; classtype:attempted-user; sid:17418; rev:4; )
03567 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Database Intermedia Denial of Service Attempt"; flow:to_server,established; content:"TO_BLOB(HEXTORAW",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*0{4,6}\s*\x27\s*\x29\s/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13239; classtype:denial-of-service; sid:17417; rev:4; )
03568 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Database Intermedia Denial of Service Attempt"; flow:to_server,established; content:"ORDSYS.ORD",nocase; pcre:"/(Image|Doc)/iR"; pcre:"/(Set|Check)\x10Properties/iR"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,13239; classtype:denial-of-service; sid:17416; rev:3; )
03570 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE database server crafted view privelege escalation attempt"; flow:to_server, established; content:"CREATE VIEW",nocase; content:"FROM",distance 0,nocase; content:"sys.te6sttable t1, sys.testtable t2",distance 0,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,17246; reference:cve,2006-1705; classtype:attempted-admin; sid:17313; rev:2; )
03571 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sdo_lrs.convert_to_lrs_layer buffer overflow attempt"; flow:to_server,established; content:"sdo_lrs.convert_to_lrs_layer",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,20588; reference:cve,2006-5340; classtype:attempted-user; sid:17293; rev:3; )
03572 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE DBMS_METADATA Package SQL Injection attempt"; flow:to_server,established; content:"SYS.DBMS_METADATA.GET_DDL|28 27 27 27 7C 7C|",nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2005-1197; classtype:attempted-user; sid:17270; rev:2; )
03573 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Permission declaration exploit attempt"; flow:to_server,established; content:"@DECLARE PERMS",nocase; content:"java.io.filepermission",distance 0,nocase; content:"execute",within 27,nocase; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,38115; reference:cve,2010-0866; classtype:attempted-admin; sid:17264; rev:2; )
03574 alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE auth_sesskey buffer overflow attempt"; flow:to_server,established; content:"|00 00 06 00 00 00|",depth 6,offset 2; content:"|0C 00 00 00 0C|AUTH_SESSKEY",distance 0,nocase; byte_test:4,>,0x60,0,relative,little; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,36747; reference:cve,2009-1979; classtype:attempted-admin; sid:16309; rev:8; )
03577 alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database Server DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE procedure SQL injection attempt"; flow:to_server,established; content:"DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE",nocase; pcre:"/^\s*\x28[^\x29\x2C]*?\x27\x27/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,39422; reference:cve,2010-0870; classtype:attempted-user; sid:16723; rev:2; )
03578 alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database Server DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE procedure SQL injection attempt"; flow:to_server,established; content:"DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE",nocase; pcre:"/^\s*\x28\s*[^\x29\x2C]*?\x27\x27/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,39422; reference:cve,2010-0870; classtype:attempted-user; sid:16722; rev:2; )
03580 alert tcp $EXTERNAL_NET any -> $HOME_NET 1000: ( msg:"SERVER-ORACLE Database sys.olapimpl_t package odcitablestart overflow attempt"; flow:to_server,established; content:"sys.olapimpl_t.odcitablestart|28|",nocase; pcre:"/sys\x2eolapimpl\x5ft\x2eodcitablestart\x28[^\x2c]+\x2c[^\x2c]+\x2c\s*\x27?[^\x2c\x27]{303}/i"; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2008-3974; classtype:attempted-user; sid:16516; rev:3; )
03582 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server CREATE_TABLES SQL injection attempt"; flow:to_server,established; content:"ctxsys.drvxtabc.create_tables",nocase; pcre:"/^\s*\x28\s*(\x27[^\x27\x22]*\x27\s*\x2c\s*)?\x27[^\x27\x22]*\x22/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,36748; reference:cve,2009-1991; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html; classtype:attempted-admin; sid:16290; rev:2; )
03587 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server RemoveWorkspace SQL injection attempt"; flow:to_server,established; content:".RemoveWorkspace",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15725; rev:2; )
03588 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server MergeWorkspace SQL injection attempt"; flow:to_server,established; content:".MergeWorkspace",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15724; rev:2; )
03589 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server CompressWorkspaceTree SQL injection attempt"; flow:to_server,established; content:".CompressWorkspaceTree",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*?\x27\s*[^\x2c\x29]/R"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15723; rev:3; )
03590 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL injection attempt"; flow:to_server,established; content:"SYS.DBMS_AQADM_SYS.GRANT_TYPE_ACCESS",nocase; pcre:"/SYS\x2eDBMS\x5fAQADM\x5fSYS\x2eGRANT\x5fTYPE\x5fACCESS\s*\x28\s*\x27[^\x2c\x20\x27]*[\x2c\x20]/is"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0977; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; reference:url,www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html; classtype:attempted-admin; sid:11204; rev:3; )
03591 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle Database Server RollbackWorkspace SQL injection attempt"; flow:to_server,established; content:".RollbackWorkspace",nocase; pcre:"/^\s*\x28\s*\x27[^\x27]*\x27\s*[^\s\x2c\x29]/iR"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,34461; reference:cve,2009-0978; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html; classtype:attempted-admin; sid:15515; rev:3; )
03599 alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [1024:] ( msg:"SERVER-ORACLE Oracle database server Workspace Manager multiple SQL injection attempt"; flow:to_server,established; content:"GRAN|FF|T EXECUTE ON VZJSQ TO PUBLIC"; metadata:policy balanced-ips drop,policy security-ips drop; reference:bugtraq,31683; reference:cve,2008-3982; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html; classtype:attempted-admin; sid:15722; rev:2; )
03610 alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"SERVER-OTHER HP OpenView Storage Data Protector Stack Buffer Overflow"; flow:to_server, established; content:"|FF FE 32 00 36 00 37 00 00 00|"; content:"|01 00 31 00 00 00 01 00 32 00 00 00 01 00 33 00|",within 16; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-2280; reference:cve,2007-2881; classtype:attempted-admin; sid:18587; rev:2; )
03611 alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"SERVER-OTHER HP OpenView Storage Data Protector Stack Buffer Overflow"; flow:to_server, established; content:"|FF FE 32 00 36 00 37 00 00 00|",depth 72; content:"|20 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 00 00 20 00|",distance 0; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-2280; reference:cve,2007-2881; classtype:attempted-admin; sid:17530; rev:3; )
03683 alert tcp $EXTERNAL_NET any -> $HOME_NET [898,1024:] ( msg:"SERVER-OTHER Oracle Java web console format string attempt"; flow:to_server,established; content:"com.sun.management.viperimpl.services.authentication.AuthenticationPrincipal"; content:"UserDesc",nocase; content:"t|00|",distance 0; isdataat:100,relative; content:"%",within 50; metadata:policy balanced-ips drop,policy security-ips drop; reference:cve,2007-1681; classtype:attempted-user; sid:14615; rev:5; )
03751 alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] ( msg:"SERVER-OTHER HP OpenView Storage Data Protector - initiate connection"; flow:to_server,established; content:"H|00|P|00| |00|O|00|p|00|e|00|n|00|V|00|i|00|e|00|w|00| |00|O|00|m|00|n|00|i|00|B|00|a|00|c|00|k"; flowbits:set,hp_openview_sdp; flowbits:noalert; classtype:protocol-command-decode; sid:27121; rev:1; )
END OF CODE