alert tcp any any -> any any (msg:"ET P2P Phatbot Control Connection"; flow: established; content:"Wonk-"; content:"|00|#waste|00|"; within: 15; reference:url,www.lurhq.com/phatbot.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000015; classtype:trojan-activity; sid:2000015; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Gator Agent Traffic"; flow: to_server,established; content:" Gator"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Gator/iH"; reference:url,doc.emergingthreats.net/2000026; classtype:policy-violation; sid:2000026; rev:36;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:5;) alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12;) alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k request part"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 47|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000332; classtype:policy-violation; sid:2000332; rev:11;) alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k file request answer"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 59|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000333; classtype:policy-violation; sid:2000333; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15;) alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET TROJAN IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; nocase; depth:8; content:" |3a|.DCC CHAT chat"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; classtype:policy-violation; sid:2000350; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET TROJAN IRC Channel join on non-standard port"; flow:to_server,established; content:"JOIN |3a| #"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; classtype:policy-violation; sid:2000351; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET TROJAN IRC DNS request on non-standard port"; flow:to_server,established; content:"USERHOST "; nocase; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; classtype:policy-violation; sid:2000352; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"ET P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000369; classtype:policy-violation; sid:2000369; rev:6;) alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:16;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:2000488; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; classtype:string-detect; sid:2000499; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; classtype:string-detect; sid:2000500; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; classtype:string-detect; sid:2000501; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; classtype:string-detect; sid:2000502; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; classtype:string-detect; sid:2000503; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; classtype:string-detect; sid:2000504; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; classtype:string-detect; sid:2000505; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; classtype:string-detect; sid:2000506; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; classtype:string-detect; sid:2000507; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; classtype:string-detect; sid:2000508; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:misc-attack; sid:2000519; rev:9;) alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000563; classtype:misc-attack; sid:2000563; rev:12;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000564; classtype:misc-attack; sid:2000564; rev:10;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000565; classtype:suspicious-login; sid:2000565; rev:9;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000566; classtype:suspicious-login; sid:2000566; rev:9;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000567; classtype:misc-attack; sid:2000567; rev:9;) alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Message Send"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/compose_frame.adp"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000571; classtype:policy-violation; sid:2000571; rev:8;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; fast_pattern:only; reference:url,www.ks-soft.net/ip-tools.eng; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; reference:url,doc.emergingthreats.net/2000575; classtype:misc-activity; sid:2000575; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula Related User-Agent (mez)"; flow: to_server,established; content:"User-Agent|3a| mez|0d 0a|"; nocase; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:trojan-activity; sid:2000586; rev:30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST"; nocase; http_method; content:"gs_trickler"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:policy-violation; sid:2000596; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:trojan-activity; sid:2000928; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; content:"/logs.asp?MSGID=100"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:trojan-activity; sid:2001031; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:trojan-activity; sid:2001032; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Install"; flow: to_server,established; content:"/morpheus/morpheus.exe"; nocase; http_uri; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; classtype:policy-violation; sid:2001035; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; content:"/morpheus/morpheus_sm.ini"; nocase; http_uri; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; classtype:policy-violation; sid:2001036; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; content:"/gwebcache/gcache.asg?hostfile="; nocase; http_uri; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; classtype:policy-violation; sid:2001037; rev:8;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001052; classtype:misc-activity; sid:2001052; rev:9;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001053; classtype:misc-activity; sid:2001053; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; content:"User-Agent|3a| Ares"; http_header; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:9;) alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"ET P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001187; classtype:policy-violation; sid:2001187; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke SQL injection attempt"; flow: to_server,established; uricontent:"/modules.php?"; uricontent:"name=Search"; uricontent:"instory="; reference:url,www.waraxe.us/index.php?modname=sa&id=35; reference:url,doc.emergingthreats.net/2001197; classtype:web-application-attack; sid:2001197; rev:10;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt"; flow: to_server,established; uricontent:"/modules.php?"; content:"name="; content:"UNION"; nocase; content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,www.waraxe.us/?modname=sa&id=036; reference:url,doc.emergingthreats.net/2001202; classtype:web-application-attack; sid:2001202; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:trojan-activity; sid:2001216; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; content:"/softsell/visitor.cgi?"; nocase; http_uri; content:"affiliate="; nocase; http_uri; reference:url,www.regnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; classtype:trojan-activity; sid:2001223; rev:8;) alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001239; classtype:not-suspicious; sid:2001239; rev:9;) alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001240; classtype:not-suspicious; sid:2001240; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001254; classtype:policy-violation; sid:2001254; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001256; classtype:policy-violation; sid:2001256; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001257; classtype:policy-violation; sid:2001257; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:7;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001262; classtype:policy-violation; sid:2001262; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference request"; flow: to_server,established; content:" $HOME_NET any (msg:"ET POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; reference:url,doc.emergingthreats.net/2001294; classtype:successful-admin; sid:2001294; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey Server Status Request"; content:"|e3 96|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001298; classtype:policy-violation; sid:2001298; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; content:"gtrg2ze"; nocase; http_uri; reference:url,malware.wikia.com/wiki/Claria_Corporation; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; classtype:policy-violation; sid:2001306; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:policy-violation; sid:2001315; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:trojan-activity; sid:2001317; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; content:"/sitereview.asmx/GetReview"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; classtype:trojan-activity; sid:2001325; rev:9;) alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula Install .exe"; flow: to_server,established; content:"/install/eZinstall.exe"; nocase; http_uri; content:"User-Agent|3a| eZula"; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; classtype:trojan-activity; sid:2001334; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; content:"/bi/servlet/ThinstallPre"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; classtype:trojan-activity; sid:2001339; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; content:"/ist/softwares/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; classtype:trojan-activity; sid:2001395; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; content:"/soft/unstall.exe"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; classtype:trojan-activity; sid:2001418; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/2001427; classtype:policy-violation; sid:2001427; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; content:"MediaTicketsInstaller.cab"; http_uri; content:"Host|3a| www.mt-download.com"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:trojan-activity; sid:2001448; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; content:"/report.php?user_id="; fast_pattern; http_uri; content:"&status="; http_uri; content:"&country_id="; http_uri; content:"User-Agent|3a| Windows Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:trojan-activity; sid:2001472; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; content:"/dkprogs/dktibs.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:trojan-activity; sid:2001474; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; content:"/xpsystem/commands.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:trojan-activity; sid:2001475; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; content:"/dkprogs/systime.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:trojan-activity; sid:2001480; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:trojan-activity; sid:2001481; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; content:"/dkprogs/mstasks3.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:trojan-activity; sid:2001483; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; content:"/d4.fcgi?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:trojan-activity; sid:2001488; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; content:" IST"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+IST/H"; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; classtype:trojan-activity; sid:2001493; rev:37;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; content:"/notify.php?pid=remupd&module=install&v="; nocase; http_uri; content:"&result=1&message=Success"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; classtype:trojan-activity; sid:2001494; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; content:"/campaigns"; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; classtype:trojan-activity; sid:2001496; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host|3a| campaigns.outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; classtype:trojan-activity; sid:2001497; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Activity User-Agent (IOKernel)"; flow: to_server,established; content:" IOKernel/"; http_header; pcre:"/User-Agent\:[^\n]+IOKernel/iH"; reference:url,doc.emergingthreats.net/2001498; classtype:trojan-activity; sid:2001498; rev:34;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer|3a| Look2Me"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; classtype:trojan-activity; sid:2001499; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:trojan-activity; sid:2001500; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:trojan-activity; sid:2001521; rev:11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:trojan-activity; sid:2001533; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; content:"/silent_install.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:trojan-activity; sid:2001534; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; content:"/protector.exe"; http_uri; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:trojan-activity; sid:2001535; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:trojan-activity; sid:2001540; rev:10;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001543; classtype:misc-activity; sid:2001543; rev:8;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001544; classtype:misc-activity; sid:2001544; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspected PUP/PUA User-Agent (OSSProxy)"; flow: to_server,established; content:"User-Agent|3a| OSSProxy"; http_header; threshold:type limit, count 2, seconds 300, track by_src; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:31;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP/PUA OSSProxy HTTP Header"; flow: to_server,established; content:"X-OSSProxy|3a| OSSProxy"; http_header; threshold: type limit, count 5, seconds 300, track by_src; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:11;) alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; content:"/bi/servlet/ThinstallPost"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:trojan-activity; sid:2001576; rev:7;) alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:14;) alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:14;) alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:14;) alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:14;) alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; content:"/ui/"; http_uri; nocase; content:"/getlatestversion?ver="; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:10;) alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; reference:url,doc.emergingthreats.net/2001597; classtype:policy-violation; sid:2001597; rev:5;) alert tcp $HOME_NET any -> [72.20.18.2,72.20.18.3] $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"POST"; http_method; content:"/notify/"; http_uri; pcre:"/\/notify\/(single|mass)$/iU"; content:"defacer|3d|"; http_client_body; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; distance:0; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; distance:0; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:15;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; distance:0; content:"value="; nocase; distance:0; content:"command|3B|"; nocase; distance:0; pcre:"/(javascript|http|ftp|vbscript)/iR"; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; depth:17; reference:url,www.gnutella.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001664; classtype:policy-violation; sid:2001664; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"http|3a|//prime.webhancer.com"; nocase; content:"AgentTag|3a|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; classtype:trojan-activity; sid:2001677; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE YourSiteBar User-Agent (istsvc)"; flow: to_server,established; content:"User-Agent|3a| istsvc|0d 0a|"; nocase; http_header; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:trojan-activity; sid:2001699; rev:259;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; content:"User-Agent|3a| Bundle"; http_header; reference:url,doc.emergingthreats.net/2001702; classtype:policy-violation; sid:2001702; rev:35;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; content:"Apropos"; http_header; pcre:"/User-Agent\:[^\n]+Apropos/Hi"; reference:url,doc.emergingthreats.net/2001703; classtype:trojan-activity; sid:2001703; rev:38;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; content:"/AproposClientInstaller.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:trojan-activity; sid:2001704; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; content:"Envolo"; http_header; pcre:"/User-Agent\:[^\n]+Envolo/Hi"; reference:url,doc.emergingthreats.net/2001706; classtype:trojan-activity; sid:2001706; rev:38;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; content:"SAH Agent"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2001707; classtype:policy-violation; sid:2001707; rev:35;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; content:"/Bundling/SskUpdater"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:trojan-activity; sid:2001731; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware User-Agent (UCmore) "; flow: to_server,established; content:" UCmore"; http_header; pcre:"/User-Agent\:[^\n]+UCmore/iH"; reference:url,doc.emergingthreats.net/2001736; classtype:trojan-activity; sid:2001736; rev:271;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: session, 20, packets; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2001743; classtype:trojan-activity; sid:2001743; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; content:"HelperH"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HelperH/iH"; reference:url,doc.emergingthreats.net/2001746; classtype:trojan-activity; sid:2001746; rev:38;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001753; classtype:suspicious-login; sid:2001753; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2001754; classtype:suspicious-login; sid:2001754; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; content:"/abx_search_webinstall/abx_search.cab"; nocase; http_uri; reference:url,isc.sans.org/diary.php?date=2005-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; classtype:trojan-activity; sid:2001761; rev:6;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; file_data; content:"Microsoft OLE DB Provider for SQL Server error"; distance:0; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; content:"/MediaPassK.exe"; nocase; http_uri; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; classtype:policy-violation; sid:2001783; rev:6;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Kazaa over UDP"; content:"KaZaA"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001796; classtype:policy-violation; sid:2001796; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent|3a| LimeWire"; nocase; http_header; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; classtype:policy-violation; sid:2001808; rev:8;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Limewire P2P UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; classtype:policy-violation; sid:2001809; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; file_data; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; fast_pattern:only; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 404Search Spyware User-Agent (404search)"; flow:established,to_server; content:"User-Agent|3a| 404search"; http_header; reference:url,doc.emergingthreats.net/2001852; classtype:trojan-activity; sid:2001852; rev:27;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; content:"User-Agent|3a| ESB"; http_header; reference:url,doc.emergingthreats.net/2001853; classtype:trojan-activity; sid:2001853; rev:24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZULA Spyware User Agent"; flow: established,to_server; content:"User-Agent|3a| ezula"; nocase; http_header; reference:url,doc.emergingthreats.net/2001854; classtype:trojan-activity; sid:2001854; rev:24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)"; flow: established,to_server; content:"FunWebProducts"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FunWebProducts/Hi"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; classtype:trojan-activity; sid:2001855; rev:32;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Spyware User-Agent (Hotbar)"; flow: established,to_server; content:"|3b| Hotbar"; http_header; pcre:"/User-Agent\:[^\n]+Hotbar/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001858; classtype:trojan-activity; sid:2001858; rev:29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (MyWay)"; flow:established,to_server; content:"MyWay|3b|"; http_header; pcre:"/User-Agent\x3a[^\n]+MyWay/iH"; threshold:type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001864; classtype:trojan-activity; sid:2001864; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; content:"MyWebSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+MyWebSearch/Hi"; reference:url,doc.emergingthreats.net/2001865; classtype:trojan-activity; sid:2001865; rev:29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; content:" searchengine"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+searchengine/iH"; reference:url,doc.emergingthreats.net/2001867; classtype:trojan-activity; sid:2001867; rev:28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (sureseeker)"; flow: established,to_server; content:"sureseeker"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+sureseeker\.com/iH"; reference:url,doc.emergingthreats.net/2001868; classtype:trojan-activity; sid:2001868; rev:27;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (Sidesearch)"; flow: established,to_server; content:"User-Agent|3a| Sidesearch"; http_header; reference:url,doc.emergingthreats.net/2001869; classtype:trojan-activity; sid:2001869; rev:26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; content:"SurferPlugin"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SurferPlugin/iH"; reference:url,doc.emergingthreats.net/2001870; classtype:trojan-activity; sid:2001870; rev:24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; content:"User-Agent|3a| TSA/"; http_header; reference:url,doc.emergingthreats.net/2001871; classtype:trojan-activity; sid:2001871; rev:22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Visicom Spyware User-Agent (Visicom)"; flow: established,to_server; content:"Visicom"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Visicom/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001872; classtype:trojan-activity; sid:2001872; rev:31;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; content:"/ldr.exe"; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; classtype:trojan-activity; sid:2001890; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow: to_server,established; content:"User-Agent|3a| agent"; http_header; content:!".battle.net"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; classtype:trojan-activity; sid:2001891; rev:17;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; content:"/requestimpression.aspx?ver="; nocase; http_uri; content:"host="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:trojan-activity; sid:2001992; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; content:"/iis2ucms.asp"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; classtype:trojan-activity; sid:2001995; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware User-Agent (EI)"; flow: to_server,established; content:"User-Agent|3a| EI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2001996; classtype:trojan-activity; sid:2001996; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; content:"THNALL"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/iH"; reference:url,doc.emergingthreats.net/2002002; classtype:trojan-activity; sid:2002002; rev:34;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Better Internet Spyware User-Agent (poller)"; flow: to_server,established; content:"User-Agent|3a|"; http_header; content:" Poller"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+Poller/iH"; reference:url,doc.emergingthreats.net/2002005; classtype:trojan-activity; sid:2002005; rev:37;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:trojan-activity; sid:2002019; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; content:"User-Agent|3a| IEP"; nocase; http_header; reference:url,doc.emergingthreats.net/2002021; classtype:trojan-activity; sid:2002021; rev:26;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; depth:5; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:15;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; depth:5; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:18;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; depth:50; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:18;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; depth:8; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:20;) alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:15;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:18;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow:to_client,established; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within:40; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002029; classtype:trojan-activity; sid:2002029; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential bot scan/exploit command"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002030; classtype:trojan-activity; sid:2002030; rev:16;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential DDoS command 1"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"floodnet "; pcre:"/floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2002032; classtype:trojan-activity; sid:2002032; rev:22;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopathomeselect.com Spyware User-Agent (WebDownloader)"; flow: to_server,established; content:"WebDownloader"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+WebDownloader/iH"; reference:url,doc.emergingthreats.net/2002038; classtype:trojan-activity; sid:2002038; rev:250;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:trojan-activity; sid:2002044; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; content:"XupiterToolbar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+XupiterToolbar/iH"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:trojan-activity; sid:2002071; rev:17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS SideStep User-Agent"; flow: to_server,established; content:" SideStep"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SideStep/iH"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; classtype:misc-activity; sid:2002078; rev:31;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; content:" MySearch"; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+MySearch/iH"; reference:url,doc.emergingthreats.net/2002080; classtype:trojan-activity; sid:2002080; rev:26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:trojan-activity; sid:2002083; rev:5;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; content:"/protector.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:trojan-activity; sid:2002092; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; content:"/sideb.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:trojan-activity; sid:2002098; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Guild Wars connection"; flow:established,to_server; content:"|01 00 00 00 00 F1 00 10 00 01 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002154; classtype:policy-violation; sid:2002154; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; content:"User-Agent|3a| Feat"; nocase; http_header; pcre:"/^User-Agent\x3a\x20+Feat[^\r\n]+(?:Install|Updat)er/Hmi"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:trojan-activity; sid:2002160; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Spyware User-Agent (host)"; flow: to_server,established; content:"User-Agent|3a| host"; nocase; http_header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/iH"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:trojan-activity; sid:2002164; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"User-Agent|3a| Wise"; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; content:"/sd?"; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:trojan-activity; sid:2002196; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002327; classtype:policy-violation; sid:2002327; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002330; classtype:policy-violation; sid:2002330; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Jabber client sign-on"; flow:to_server; content:"gmail.com"; nocase; content:"jabber.org"; nocase; content:"version="; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002334; classtype:policy-violation; sid:2002334; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC potential reptile commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002363; classtype:trojan-activity; sid:2002363; rev:15;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Miva Merchant Cross Site Scripting Attack"; flow:to_server,established; content:"merchant.mv"; nocase; http_uri; content:"customer_login"; nocase; http_uri; pcre:"/customer_login.*\">/Ui"; reference:bugtraq,14828; reference:url,smallbusiness.miva.com/products/mia/; reference:url,www.frsirt.com/english/advisories/2005/1758; reference:url,doc.emergingthreats.net/2002371; classtype:web-application-activity; sid:2002371; rev:6;) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC potential bot commands"; flow:established,from_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; reference:url,doc.emergingthreats.net/2002384; classtype:trojan-activity; sid:2002384; rev:17;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Miva User-Agent (TPSystem)"; flow: to_server,established; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:trojan-activity; sid:2002395; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; content:"User-Agent|3a| Travel Update|0d 0a|"; http_header; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:trojan-activity; sid:2002396; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent|3a| Microsoft Internet Explorer"; fast_pattern:11,25; http_header; content:!"bbc.co.uk|0d 0a|"; nocase; http_header; content:!"vmware.com|0d 0a|"; nocase; http_header; content:!"rc.itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.com|0d 0a|"; nocase; http_header; content:!"msn.es|0d 0a|"; nocase; http_header; content:!"live.com|0d 0a|"; nocase; http_header; content:!"gocyberlink.com|0d 0a|"; nocase; http_header; content:!"ultraedit.com|0d 0a|"; nocase; http_header; content:!"windowsupdate.com"; http_header; content:!"cyberlink.com"; http_header; content:!"lenovo.com"; http_header; content:!"itsupport247.net|0d 0a|"; nocase; http_header; content:!"msn.co.uk|0d 0a|"; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:34;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; content:"UtilMind HTTPGet"; http_header; fast_pattern:only; content:!"Host|3a| www.blueocean.com"; nocase; http_header; content:!"Host|3a 20|www.backupmaker.com"; http_header; nocase; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:trojan-activity; sid:2002402; rev:17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus User-Agent (PTS)"; flow: to_server,established; content:"User-Agent|3a| PTS"; http_header; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:trojan-activity; sid:2002403; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer User-Agent (ROGUE)"; flow: to_server,established; content:"User-Agent|3a| ROGUE"; nocase; http_header; reference:url,www.internet-optimizer.com; reference:url,doc.emergingthreats.net/2002405; classtype:trojan-activity; sid:2002405; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; content:"/ycontent/stats.php?version="; nocase; http_uri; content:"EVENT=InstallBegin"; nocase; http_uri; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 resetcore.php SQL Injection attempt"; flow:to_server,established; uricontent:"/resetcore.php?"; nocase; pcre:"/a_name='/Ui"; reference:bugtraq,15125; reference:url,doc.emergingthreats.net/2002663; classtype:web-application-attack; sid:2002663; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nessus User Agent"; flow: established,to_server; content:"User-Agent|3a|"; http_header; nocase; content:"Nessus"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+Nessus/Hmi"; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; classtype:attempted-recon; sid:2002664; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt"; flow:to_server,established; content:"/showGallery.php"; nocase; http_uri; content:"galid="; nocase; http_uri; pcre:"/galid=-?\d+ /Ui"; reference:bugtraq,15313; reference:url,doc.emergingthreats.net/2002671; classtype:web-application-attack; sid:2002671; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Nikto Web App Scan in Progress"; flow:to_server,established; content:"(Nikto"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\(Nikto/Hmi"; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:2002677; rev:14;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; content:"/show.php?"; nocase; http_uri; pcre:"/id=-?\d+\s+UNION\s/Ui"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loadadv"; nocase; http_uri; pcre:"/loadadv\d+\.exe/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; classtype:trojan-activity; sid:2002710; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; content:"/cl/clienthost"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:policy-violation; sid:2002735; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; content:"/instreport"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:policy-violation; sid:2002737; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:trojan-activity; sid:2002738; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; content:"iDownloadAgent"; http_header; pcre:"/User-Agent\:[^\n]+iDownloadAgent/H"; reference:url,doc.emergingthreats.net/2002739; classtype:trojan-activity; sid:2002739; rev:13;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P GnucDNA UDP Ultrapeer Traffic"; content:"SCP@|83|DNA@"; threshold: type both,track by_src,count 10,seconds 600; reference:url,doc.emergingthreats.net/bin/view/Main/2002760; classtype:policy-violation; sid:2002760; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"X-Ultrapeer|3a| True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002761; classtype:policy-violation; sid:2002761; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; content:"/x25.php"; nocase; http_uri; content:"?id="; nocase; http_uri; content:"&sv="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&sport="; nocase; http_uri; content:"&hport="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; classtype:trojan-activity; sid:2002762; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dumador Reporting User Activity"; flow:established,to_server; content:".php?p="; nocase; http_uri; content:"machineid="; nocase; http_uri; content:"&connection="; nocase; http_uri; content:"&iplan="; nocase; http_uri; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; reference:url,doc.emergingthreats.net/2002763; classtype:trojan-activity; sid:2002763; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"&socksport="; nocase; http_uri; content:"&httpport="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:url,doc.emergingthreats.net/2002790; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; classtype:trojan-activity; sid:2002790; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; content:"(compatible|3b| Google Desktop)"; http_header; fast_pattern:13,15; nocase; threshold: type limit, count 1, seconds 360, track by_src; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; content:"spywareaxe"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+spywareaxe/H"; reference:url,doc.emergingthreats.net/2002808; classtype:trojan-activity; sid:2002808; rev:13;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; classtype:trojan-activity; sid:2002809; rev:5;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; classtype:trojan-activity; sid:2002810; rev:4;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; classtype:trojan-activity; sid:2002811; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Direct Connect Traffic (client-server)"; flow:from_client,established; content:"$MyINFO"; depth:7; reference:url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application; reference:url,doc.emergingthreats.net/bin/view/Main/2002814; classtype:policy-violation; sid:2002814; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Web Crawl using Wget"; flow:established,to_server; content:"User-Agent|3A| "; nocase; http_header; content:"Wget"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; classtype:attempted-recon; sid:2002823; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; content:"User-Agent|3a| curl"; http_header; nocase; fast_pattern:only; threshold: type both, track by_src, count 10, seconds 60; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"fetch"; distance:0; within:50; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002827; classtype:attempted-recon; sid:2002827; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; content:"/ms"; nocase; http_uri; content:"cfg.jsp?"; http_uri; content:"v="; nocase; http_uri; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; classtype:trojan-activity; sid:2002839; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; content:"/checkhttp.htm"; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:policy-violation; sid:2002840; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; content:"/ping/?shortname="; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:policy-violation; sid:2002841; rev:6;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; classtype:not-suspicious; sid:2002850; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; content:"/install/banner/"; http_uri; nocase; pcre:"/\d/\d+.jpg/Ui"; content:"Host|3a| www.winpcap.org"; nocase; http_header; content:"User-Agent|3a| NSISDL"; nocase; http_header; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Myspace Login Attempt"; flow:established,to_server; content:"secure.myspace.com"; http_header; content:"/index.cfm?fuseaction=login"; http_uri; reference:url,doc.emergingthreats.net/2002872; classtype:policy-violation; sid:2002872; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Metafisher/Goldun User-Agent (z)"; flow:to_server,established; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2002874; classtype:trojan-activity; sid:2002874; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY iTunes User Agent"; flow: established,to_server; content:"User-Agent|3a| iTunes"; nocase; http_header; threshold: type limit, count 1, seconds 360, track by_src; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; classtype:policy-violation; sid:2002878; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt"; flow:to_server,established; uricontent:"rootagenda="; nocase; pcre:"/(agendaplace(2?)|infoevent|agenda(2?))\.php3\?/Ui"; pcre:"/rootagenda=(https?|ftps?|php)/Ui"; reference:cve,2006-2009; reference:bugtraq,17670; reference:url,doc.emergingthreats.net/2002879; classtype:web-application-attack; sid:2002879; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt"; flow:established,to_server; content:"CONFIG[PATH]="; nocase; http_uri; pcre:"/(join|lostpw)\.php\?/Ui"; pcre:"/&CONFIG\x5bpath\x5d=(https?|ftps?|php)\:/Ui"; reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158; reference:url,doc.emergingthreats.net/2002901; classtype:web-application-attack; sid:2002901; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; content:"param="; http_uri; content:"&socksport="; http_uri; content:"&httpport="; fast_pattern:only; http_uri; content:"&uptime"; http_uri; content:"&uid="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2002929; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; reference:md5,0995ecb8bb78f510ae995a50be0c351a; classtype:trojan-activity; sid:2002929; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; content:"/progs_traff/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; classtype:trojan-activity; sid:2002931; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Possible Web Crawl - libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"libwww-perl/"; within:50; fast_pattern; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002935; classtype:attempted-recon; sid:2002935; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent Web Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002943; classtype:attempted-recon; sid:2002943; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+Java/\d\.\d/Hi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; classtype:policy-violation; sid:2002950; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; classtype:policy-violation; sid:2002951; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET P2P TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:""; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; classtype:policy-violation; sid:2002952; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:""; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; classtype:policy-violation; sid:2002953; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Tibs Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:".php?a1="; nocase; http_uri; content:"&a2=Type of Processor|3a|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build|3a|"; nocase; http_uri; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:trojan-activity; sid:2002955; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:trojan-activity; sid:2002957; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs Checkin"; flow:established,to_server; content:"/cntr.php?b="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&d="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002959; classtype:trojan-activity; sid:2002959; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; content:"/bundle.php?aff="; nocase; http_uri; reference:url,elitemediagroup.net; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; classtype:trojan-activity; sid:2002966; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; content:"/bundle/drsmartload.exe"; nocase; http_uri; reference:url,dollarrevenue.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; classtype:trojan-activity; sid:2002967; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002976; classtype:trojan-activity; sid:2002976; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data|3a| "; nocase; content:"Hora|3a| "; nocase; content:"Development by "; nocase; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; reference:url,doc.emergingthreats.net/2002977; classtype:trojan-activity; sid:2002977; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"

You will receive a log report every "; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; classtype:trojan-activity; sid:2002979; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002981; classtype:trojan-activity; sid:2002981; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:8;) alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; content:"/prxjdg.cgi"; nocase; http_uri; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:4;) alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established, only_stream; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; content:"/php/rpc_uci.php"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:trojan-activity; sid:2003060; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"SAIv"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]+SAIv/Hm"; reference:url,doc.emergingthreats.net/2003062; classtype:trojan-activity; sid:2003062; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; content:"/wur8.php"; nocase; http_uri; content:"?id="; nocase; http_uri; content:"&sv="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&sport="; nocase; http_uri; content:"&hport="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; classtype:trojan-activity; sid:2003066; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:6;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 27020:27050 (msg:"ET GAMES STEAM Connection (v2)"; flow:established,to_server; content:"|00 00 00 03|"; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003089; classtype:policy-violation; sid:2003089; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential DDoS command (2)"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"ddos"; nocase; pcre:"/ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; reference:url,doc.emergingthreats.net/2003132; classtype:trojan-activity; sid:2003132; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6;) alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"ET POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; reference:url,doc.emergingthreats.net/2003155; classtype:misc-activity; sid:2003155; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN IBM NSA User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"Network-Services-Auditor"; http_header; within:50; threshold: type limit, track by_src,count 1, seconds 60; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; reference:url,doc.emergingthreats.net/2003171; classtype:attempted-recon; sid:2003171; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Warezov/Stration Data Post to Controller"; flow:established,to_server; content:"/cgi-bin/pr.cgi"; http_uri; content:"POST"; http_method; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003180; classtype:trojan-activity; sid:2003180; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Initial Checkin"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; content:"fstt="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"name="; http_uri; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003187; classtype:trojan-activity; sid:2003187; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"name="; http_uri; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003188; classtype:trojan-activity; sid:2003188; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; pcre:"/\/cp\/rule\.php\?gcu=\d/Ui"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood TCP"; flow:established,to_server; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003192; classtype:attempted-dos; sid:2003192; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood TCP"; flow:established,to_server; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003193; classtype:attempted-dos; sid:2003193; rev:5;) alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; content:"/checkin.php?"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"version="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:trojan-activity; sid:2003209; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"&pais="; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:trojan-activity; sid:2003210; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Megaupload Spyware User-Agent (Megaupload)"; flow:to_server,established; content:"User-Agent|3a| Megaupload|0d 0a|"; http_header; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; classtype:trojan-activity; sid:2003224; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2)"; flow:established,to_server; content:"/rule.php?"; nocase; http_uri; content:"name="; nocase; http_uri; content:"b="; nocase; http_uri; content:"w="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003239; classtype:trojan-activity; sid:2003239; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; content:"User-Agent|3a| Download Agent"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:trojan-activity; sid:2003243; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HackerDefender.HE Root Kit Control Connection"; flow: established,to_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003244; classtype:trojan-activity; sid:2003244; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender.HE Root Kit Control Connection Reply"; flow: established,from_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003245; classtype:trojan-activity; sid:2003245; rev:3;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:5;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:5;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1025:5000 (msg:"ET TROJAN Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern:only; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; content:"/trackedevent.aspx?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&rnd="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:trojan-activity; sid:2003306; rev:9;) alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File ACK"; dsize:<20; content:"|e3 0d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003311; classtype:policy-violation; sid:2003311; rev:3;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Connect Request"; dsize:25; content:"|e3 0a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003312; classtype:policy-violation; sid:2003312; rev:3;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|22|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003326; classtype:attempted-admin; sid:2003326; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; distance:0; within:400; content:!"|27|"; distance:0; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003327; classtype:attempted-admin; sid:2003327; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Autoupdate)"; flow:to_server,established; content:"User-Agent|3a| Autoupdate"; nocase; http_header; content:!"Host|3a| update.nai.com"; nocase; http_header; content:!"McAfeeAutoUpdate"; nocase; http_header; content:!"nokia.com"; nocase; http_header; content:!"sophosupd.com"; nocase; http_header; content:!"sophosupd.net"; nocase; http_header; content:!" Creative AutoUpdate v"; http_header; content:!"wholetomato.com"; http_header; content:!".acclivitysoftware.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:trojan-activity; sid:2003337; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"&localeId="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&updatevalue="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; classtype:trojan-activity; sid:2003344; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"ErrorSafe "; http_header; fast_pattern; within:150; pcre:"/^User-Agent\x3a\x20[^\n]+ErrorSafe/Hmi"; reference:url,doc.emergingthreats.net/2003346; classtype:trojan-activity; sid:2003346; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; content:"GAMEHOUSE"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GAMEHOUSE/iH"; reference:url,doc.emergingthreats.net/2003347; classtype:trojan-activity; sid:2003347; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; content:"FreezeInet"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FreezeInet/iH"; reference:url,doc.emergingthreats.net/2003355; classtype:trojan-activity; sid:2003355; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; content:"/WebServices/DesktopManager/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; classtype:trojan-activity; sid:2003356; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Tools Spyware User-Agent (hbtools)"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"|3b| HbTools"; http_header; fast_pattern; within:80; reference:url,doc.emergingthreats.net/2003383; classtype:trojan-activity; sid:2003383; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; content:"SpamBlockerUtility "; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SpamBlockerUtility \d/iH"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003384; classtype:trojan-activity; sid:2003384; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE dialno Dialer User-Agent (dialno)"; flow:to_server,established; content:"dialno"; http_header; threshold: type limit, count 5, seconds 60, track by_src; pcre:"/User-Agent\:[^\n]+dialno/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003387; classtype:trojan-activity; sid:2003387; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; content:"/sacc/sacc.cfg.php?"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:trojan-activity; sid:2003390; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; content:" Morpheus"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+Morpheus/iH"; reference:url,doc.emergingthreats.net/2003396; classtype:trojan-activity; sid:2003396; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; content:"Seekmo"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Seekmo/iH"; threshold:type both, count 1, seconds 300, track by_src; classtype:trojan-activity; sid:2003397; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; content:"SmartInstaller"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SmartInstaller/iH"; reference:url,doc.emergingthreats.net/2003398; classtype:trojan-activity; sid:2003398; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; content:"User-Agent|3a| YourScreen"; http_header; reference:url,doc.emergingthreats.net/2003405; classtype:trojan-activity; sid:2003405; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; content:"iMeshBar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+iMeshBar/iH"; reference:url,doc.emergingthreats.net/2003406; classtype:trojan-activity; sid:2003406; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; content:"User-Agent|3a| RX Bar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003407; classtype:trojan-activity; sid:2003407; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; content:"User-Agent|3a| CS Fingerprint Module"; nocase; http_header; reference:url,doc.emergingthreats.net/2003425; classtype:trojan-activity; sid:2003425; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; content:"/notify.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&module="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&result="; nocase; http_uri; content:"&message="; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:trojan-activity; sid:2003426; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; content:"SF Installer"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003428; classtype:trojan-activity; sid:2003428; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed Generic.Malware http get"; flow:established,to_server; content:"/ww20/script.php?id="; nocase; http_uri; content:"&config="; nocase; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2003431; classtype:trojan-activity; sid:2003431; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Warezov/Stration Communicating with Controller 2"; flow:established,to_server; content:"/chr/"; nocase; http_uri; content:"/e/"; http_uri; content:"?lid="; nocase; http_uri; pcre:"/\/chr\/\d+\/e\/t\d+\?lid=/Ui"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html; reference:url,doc.emergingthreats.net/2003436; classtype:trojan-activity; sid:2003436; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; content:"DSInstall"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+DSInstall/iH"; reference:url,doc.emergingthreats.net/2003439; classtype:trojan-activity; sid:2003439; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; content:"/reportaddon.cgi?"; nocase; http_uri; content:"report.cgi?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"software="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:trojan-activity; sid:2003440; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:trojan-activity; sid:2003441; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:trojan-activity; sid:2003442; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; content:"/GetAd/tekID"; nocase; http_uri; content:".ini"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:policy-violation; sid:2003445; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.metacafe.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003457; classtype:policy-violation; sid:2003457; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.orkut.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003458; classtype:policy-violation; sid:2003458; rev:4;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; classtype:trojan-activity; sid:2003464; rev:5;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; nocase; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; classtype:trojan-activity; sid:2003465; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; content:"User-Agent|3a| Morfeus"; fast_pattern:only; nocase; http_header; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2003466; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; content:" Oemji"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Oemji/iH"; reference:url,doc.emergingthreats.net/2003468; classtype:trojan-activity; sid:2003468; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; content:"AOLToolbar"; http_header; fast_pattern:only; nocase; pcre:"/User-Agent\x3a[^\n]+AOLToolbar/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/2003469; classtype:policy-violation; sid:2003469; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003470; classtype:trojan-activity; sid:2003470; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; content:"User-Agent|3a| ad-protect"; nocase; http_header; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:trojan-activity; sid:2003476; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; content:"User-Agent|3a| DInstaller"; nocase; http_header; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:trojan-activity; sid:2003477; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; content:"User-Agent|3a| ERRORNUKER"; nocase; http_header; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:trojan-activity; sid:2003478; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,BE.Radmin.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5;) alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; content:"User-Agent|3a| DriveCleaner Updater"; fast_pattern:11,20; http_header; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; classtype:trojan-activity; sid:2003486; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; content:"User-Agent|3a| MalwareWipe|0d 0a|"; nocase; http_header; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:trojan-activity; sid:2003489; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; content:"User-Agent|3a| Mirar_KeywordContent|0d 0a|"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:trojan-activity; sid:2003490; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; content:!"Host|3a 20|secure|2e|logmein|2e|com|0d 0a|"; nocase; http_header; content:!"Host|3a 20|weixin.qq.com"; http_header; nocase; content:!"Host|3a| slickdeals.net"; nocase; http_header; content:!"Host|3a| cloudera.com"; nocase; http_header; content:!"Host|3a 20|secure.digitalalchemy.net.au"; http_header; content:!".ksmobile.com|0d 0a|"; http_header; content:!"gstatic|2e|com|0d 0a|"; http_header; content:!"weixin.qq.com|0d 0a|"; http_header; content:!"|2e|cmcm|2e|com|0d 0a|"; http_header; content:!".deckedbuilder.com"; http_header; content:!".mobolize.com"; http_header; content:!"wq.cloud.duba.net"; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:27;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; content:"AskSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskSearch/iH"; threshold:type limit, count 2, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2003493; classtype:trojan-activity; sid:2003493; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:trojan-activity; sid:2003496; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ms)"; flow:to_server,established; content:"User-Agent|3a| ms|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:trojan-activity; sid:2003497; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; content:"User-Agent|3a| Sprout Game|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003498; classtype:trojan-activity; sid:2003498; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; content:"User-Agent|3a| SpyDawn|0d 0a|"; nocase; http_header; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:trojan-activity; sid:2003499; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; content:"User-Agent|3a| STBHOGet"; nocase; http_header; reference:url,doc.emergingthreats.net/2003500; classtype:trojan-activity; sid:2003500; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; content:"User-Agent|3a| TBONAS|0d 0a|"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:trojan-activity; sid:2003501; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware Checkin"; flow:to_server,established; content:"User-Agent|3a| BWL"; http_header; pcre:"/BWL(\sToplist|\d_UPDATE)/H"; classtype:trojan-activity; sid:2003505; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Alawar Toolbar"; nocase; http_header; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:trojan-activity; sid:2003506; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; content:"User-Agent|3a| WinSoftware"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:trojan-activity; sid:2003527; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| NetInstaller"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:trojan-activity; sid:2003528; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0+(compatible|3b|+MSIE+/"; fast_pattern:23,20; http_header; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; content:"User-Agent|3a| CommonName"; nocase; http_header; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:trojan-activity; sid:2003532; rev:7;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; file_data; content:"r57shell - http-shell by RST/GHC"; fast_pattern:only; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; content:"User-Agent|3a| WinFixMaster"; nocase; http_header; reference:url,doc.emergingthreats.net/2003544; classtype:trojan-activity; sid:2003544; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; content:"User-Agent|3a| WinFix Master"; nocase; http_header; reference:url,doc.emergingthreats.net/2003545; classtype:trojan-activity; sid:2003545; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.35; flow:established,to_server; content:"|cf 8f|"; offset:0; depth:2; content:"|20 26 26 26|"; distance:50; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003555; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (DIALER)"; flow:to_server,established; content:"User-Agent|3a| DIALER"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003566; classtype:trojan-activity; sid:2003566; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; content:"User-Agent|3a| iefeatsl"; nocase; http_header; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:trojan-activity; sid:2003570; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; content:"/SA/receive_data.php3?tcpc="; http_uri; content:"security-updater.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; classtype:trojan-activity; sid:2003576; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; content:"User-Agent|3a| MalwareWiped"; nocase; http_header; reference:url,doc.emergingthreats.net/2003582; classtype:trojan-activity; sid:2003582; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (update)"; flow:to_server,established; content:"User-Agent|3a| update|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003583; classtype:trojan-activity; sid:2003583; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:trojan-activity; sid:2003585; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; content:"User-Agent|3a| WinXP Pro Service Pack"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:trojan-activity; sid:2003588; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; content:"User-Agent|3a| MSID ["; nocase; http_header; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; content:"User-Agent|3a| EELoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003613; classtype:trojan-activity; sid:2003613; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; content:"User-Agent|3a| DataCha0s"; fast_pattern:only; nocase; http_header; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; classtype:web-application-activity; sid:2003616; rev:38;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; nocase; http_uri; content:"&refe=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:trojan-activity; sid:2003620; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent outbound (bot)"; flow:to_server,established; content:"User-Agent|3a| bot/"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; content:"USER-Agent|3a| Domain Dossier utility (http|3a|//CentralOps.net/)"; nocase; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003623; classtype:policy-violation; sid:2003623; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; content:"User-Agent|3a| KRSystem"; nocase; http_header; reference:url,doc.emergingthreats.net/2003625; classtype:trojan-activity; sid:2003625; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; content:!"User-Agent|3A| SogouMobileTool"; nocase; http_header; content:!".lge.com|3a|80|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; content:"User-Agent|3a| SexTrackerWSI"; nocase; http_header; reference:url,doc.emergingthreats.net/2003627; classtype:trojan-activity; sid:2003627; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; content:"User-Agent|3a| internetsecurity"; http_header; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; content:"User-Agent|3a| get-minimal"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Password Stealer User Agent Detected (RookIE)"; flow:established,to_server; content:"User-Agent|3a| RookIE"; http_header; reference:url,doc.emergingthreats.net/2003635; classtype:trojan-activity; sid:2003635; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; content:"User-Agent|3a| KUKU"; nocase; http_header; reference:url,doc.emergingthreats.net/2003636; classtype:trojan-activity; sid:2003636; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; content:"User-Agent|3a| ProxyDown"; nocase; http_header; reference:url,doc.emergingthreats.net/2003639; classtype:trojan-activity; sid:2003639; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; content:"User-Agent|3a| 91cast"; nocase; http_header; reference:url,doc.emergingthreats.net/2003640; classtype:trojan-activity; sid:2003640; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"User-Agent|3a| NetScafe"; http_header; reference:url,doc.emergingthreats.net/2003641; classtype:trojan-activity; sid:2003641; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; content:"User-Agent|3a| Rescue/9.11"; http_header; reference:url,doc.emergingthreats.net/2003645; classtype:trojan-activity; sid:2003645; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin"; flow:established,to_server; content:"/tx.txt"; http_uri; content:" Microsoft URL Control -"; http_header; reference:url,doc.emergingthreats.net/2003646; classtype:trojan-activity; sid:2003646; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; content:"User-Agent|3a| IRC-U v"; http_header; nocase; reference:url,doc.emergingthreats.net/2003647; classtype:trojan-activity; sid:2003647; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer-715 Install Checkin"; flow: established,to_server; content:"/perl/invoc_oneway.pl"; nocase; http_uri; content:"?id_service="; nocase; http_uri; content:"&nom_exe="; nocase; http_uri; content:"&skin="; nocase; http_uri; content:"&id_produit="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003650; classtype:trojan-activity; sid:2003650; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; content:"User-Agent|3a| GTBank"; nocase; http_header; reference:url,doc.emergingthreats.net/2003654; classtype:trojan-activity; sid:2003654; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; content:"User-Agent|3a| Internet 1."; nocase; http_header; reference:url,doc.emergingthreats.net/2003655; classtype:trojan-activity; sid:2003655; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; content:"User-Agent|3a| mc_v1"; nocase; http_header; reference:url,www.f-secure.com/v-descs/rizo.shtml; reference:url,doc.emergingthreats.net/2003656; classtype:trojan-activity; sid:2003656; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MSIE)"; flow:to_server,established; content:"User-Agent|3a| MSIE"; http_header; threshold: type limit, count 2, track by_src, seconds 300; content:!"www.msftncsi.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; content:"User-Agent|3a| QQGame"; nocase; http_header; reference:url,doc.emergingthreats.net/2003658; classtype:trojan-activity; sid:2003658; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN WebHack Control Center User-Agent Inbound (WHCC/)"; flow:to_server,established; content:"WHCC"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; classtype:trojan-activity; sid:2003924; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; content:"User-Agent|3a| PWMI/"; nocase; http_header; reference:url,doc.emergingthreats.net/2003926; classtype:trojan-activity; sid:2003926; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; content:"User-Agent|3a| HTTPTEST"; nocase; http_header; content:!"PlayStation"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent|3a| Mbar|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003928; classtype:trojan-activity; sid:2003928; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Mirar_Toolbar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003929; classtype:trojan-activity; sid:2003929; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Snatch-System)"; flow:to_server,established; content:"User-Agent|3a| Snatch-System"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent|3a| IE_7.0"; http_header; nocase; reference:url,doc.emergingthreats.net/2003932; classtype:trojan-activity; sid:2003932; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Ms)"; flow:established,to_server; content:"User-Agent|3a| Ms|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; classtype:trojan-activity; sid:2003933; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004000; classtype:web-application-attack; sid:2004000; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004001; classtype:web-application-attack; sid:2004001; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004003; classtype:web-application-attack; sid:2004003; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004004; classtype:web-application-attack; sid:2004004; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id SELECT"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004005; classtype:web-application-attack; sid:2004005; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UNION SELECT"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004006; classtype:web-application-attack; sid:2004006; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id INSERT"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004007; classtype:web-application-attack; sid:2004007; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id DELETE"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004008; classtype:web-application-attack; sid:2004008; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id ASCII"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004009; classtype:web-application-attack; sid:2004009; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE"; flow:established,to_server; uricontent:"/read/index.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004010; classtype:web-application-attack; sid:2004010; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004011; classtype:web-application-attack; sid:2004011; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004012; classtype:web-application-attack; sid:2004012; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004013; classtype:web-application-attack; sid:2004013; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004014; classtype:web-application-attack; sid:2004014; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004015; classtype:web-application-attack; sid:2004015; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE"; flow:established,to_server; uricontent:"/wp-admin/admin-ajax.php?"; nocase; uricontent:"cookie="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004016; classtype:web-application-attack; sid:2004016; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pack="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004022; classtype:web-application-attack; sid:2004022; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; classtype:web-application-attack; sid:2004023; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004024; classtype:web-application-attack; sid:2004024; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004025; classtype:web-application-attack; sid:2004025; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004026; classtype:web-application-attack; sid:2004026; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004027; classtype:web-application-attack; sid:2004027; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"style="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004028; classtype:web-application-attack; sid:2004028; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004029; classtype:web-application-attack; sid:2004029; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004030; classtype:web-application-attack; sid:2004030; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004031; classtype:web-application-attack; sid:2004031; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004032; classtype:web-application-attack; sid:2004032; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004033; classtype:web-application-attack; sid:2004033; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE"; flow:established,to_server; content:"/account_change.php?"; nocase; http_uri; content:"langue="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004034; classtype:web-application-attack; sid:2004034; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php SELECT"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004035; classtype:web-application-attack; sid:2004035; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UNION SELECT"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004036; classtype:web-application-attack; sid:2004036; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php INSERT"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004037; classtype:web-application-attack; sid:2004037; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php DELETE"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004038; classtype:web-application-attack; sid:2004038; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004039; classtype:web-application-attack; sid:2004039; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE"; flow:established,to_server; content:"/cart.inc.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004040; classtype:web-application-attack; sid:2004040; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004041; classtype:web-application-attack; sid:2004041; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004042; classtype:web-application-attack; sid:2004042; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004043; classtype:web-application-attack; sid:2004043; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004044; classtype:web-application-attack; sid:2004044; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004045; classtype:web-application-attack; sid:2004045; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; uricontent:"/modules/admin/modules/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004046; classtype:web-application-attack; sid:2004046; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen SELECT"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004047; classtype:web-application-attack; sid:2004047; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UNION SELECT"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004048; classtype:web-application-attack; sid:2004048; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen INSERT"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004049; classtype:web-application-attack; sid:2004049; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen DELETE"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004050; classtype:web-application-attack; sid:2004050; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ASCII"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004051; classtype:web-application-attack; sid:2004051; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004052; classtype:web-application-attack; sid:2004052; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category SELECT"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004053; classtype:web-application-attack; sid:2004053; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UNION SELECT"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004054; classtype:web-application-attack; sid:2004054; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category INSERT"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004055; classtype:web-application-attack; sid:2004055; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category DELETE"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004056; classtype:web-application-attack; sid:2004056; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category ASCII"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004057; classtype:web-application-attack; sid:2004057; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE"; flow:established,to_server; uricontent:"/category.php?"; nocase; uricontent:"id_category="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004058; classtype:web-application-attack; sid:2004058; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004059; classtype:web-application-attack; sid:2004059; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UNION SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004060; classtype:web-application-attack; sid:2004060; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating INSERT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004061; classtype:web-application-attack; sid:2004061; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating DELETE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004062; classtype:web-application-attack; sid:2004062; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating ASCII"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004063; classtype:web-application-attack; sid:2004063; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"rating="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004064; classtype:web-application-attack; sid:2004064; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004065; classtype:web-application-attack; sid:2004065; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004066; classtype:web-application-attack; sid:2004066; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004067; classtype:web-application-attack; sid:2004067; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004068; classtype:web-application-attack; sid:2004068; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004069; classtype:web-application-attack; sid:2004069; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE"; flow:established,to_server; content:"/main/auth/my_progress.php?"; nocase; http_uri; content:"course="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004070; classtype:web-application-attack; sid:2004070; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004071; classtype:web-application-attack; sid:2004071; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UNION SELECT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004072; classtype:web-application-attack; sid:2004072; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id INSERT"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004073; classtype:web-application-attack; sid:2004073; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id DELETE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004074; classtype:web-application-attack; sid:2004074; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id ASCII"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004075; classtype:web-application-attack; sid:2004075; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE"; flow:established,to_server; content:"/includes/rating.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004076; classtype:web-application-attack; sid:2004076; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004077; classtype:web-application-attack; sid:2004077; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004078; classtype:web-application-attack; sid:2004078; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004079; classtype:web-application-attack; sid:2004079; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004080; classtype:web-application-attack; sid:2004080; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004081; classtype:web-application-attack; sid:2004081; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004082; classtype:web-application-attack; sid:2004082; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004083; classtype:web-application-attack; sid:2004083; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004084; classtype:web-application-attack; sid:2004084; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004085; classtype:web-application-attack; sid:2004085; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004086; classtype:web-application-attack; sid:2004086; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004087; classtype:web-application-attack; sid:2004087; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004088; classtype:web-application-attack; sid:2004088; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004089; classtype:web-application-attack; sid:2004089; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004090; classtype:web-application-attack; sid:2004090; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004091; classtype:web-application-attack; sid:2004091; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004092; classtype:web-application-attack; sid:2004092; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004093; classtype:web-application-attack; sid:2004093; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"form_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004094; classtype:web-application-attack; sid:2004094; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004095; classtype:web-application-attack; sid:2004095; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004096; classtype:web-application-attack; sid:2004096; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004097; classtype:web-application-attack; sid:2004097; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004098; classtype:web-application-attack; sid:2004098; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004099; classtype:web-application-attack; sid:2004099; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; content:"/user.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004100; classtype:web-application-attack; sid:2004100; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer SELECT"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004101; classtype:web-application-attack; sid:2004101; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UNION SELECT"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004102; classtype:web-application-attack; sid:2004102; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer INSERT"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004103; classtype:web-application-attack; sid:2004103; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer DELETE"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004104; classtype:web-application-attack; sid:2004104; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ASCII"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004105; classtype:web-application-attack; sid:2004105; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE"; flow:established,to_server; uricontent:"/manufacturer.php?"; nocase; uricontent:"id_manufacturer="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004106; classtype:web-application-attack; sid:2004106; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid SELECT"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004108; classtype:web-application-attack; sid:2004108; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UNION SELECT"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004109; classtype:web-application-attack; sid:2004109; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid INSERT"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004110; classtype:web-application-attack; sid:2004110; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid DELETE"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004111; classtype:web-application-attack; sid:2004111; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid ASCII"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"ASCII"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004112; classtype:web-application-attack; sid:2004112; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE"; flow:established,to_server; uricontent:"/getnewsitem.php?"; nocase; uricontent:"newsid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004113; classtype:web-application-attack; sid:2004113; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004116; classtype:web-application-attack; sid:2004116; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004117; classtype:web-application-attack; sid:2004117; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004118; classtype:web-application-attack; sid:2004118; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004119; classtype:web-application-attack; sid:2004119; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004120; classtype:web-application-attack; sid:2004120; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004121; classtype:web-application-attack; sid:2004121; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004122; classtype:web-application-attack; sid:2004122; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004123; classtype:web-application-attack; sid:2004123; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004124; classtype:web-application-attack; sid:2004124; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004125; classtype:web-application-attack; sid:2004125; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004126; classtype:web-application-attack; sid:2004126; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004127; classtype:web-application-attack; sid:2004127; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004128; classtype:web-application-attack; sid:2004128; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004129; classtype:web-application-attack; sid:2004129; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004130; classtype:web-application-attack; sid:2004130; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search_forum="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004131; classtype:web-application-attack; sid:2004131; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum ASCII"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_forum="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004132; classtype:web-application-attack; sid:2004132; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_forum="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004133; classtype:web-application-attack; sid:2004133; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user SELECT"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004134; classtype:web-application-attack; sid:2004134; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UNION SELECT"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004135; classtype:web-application-attack; sid:2004135; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user INSERT"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004136; classtype:web-application-attack; sid:2004136; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user DELETE"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004137; classtype:web-application-attack; sid:2004137; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user ASCII"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004138; classtype:web-application-attack; sid:2004138; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search_user="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004139; classtype:web-application-attack; sid:2004139; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order SELECT"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004140; classtype:web-application-attack; sid:2004140; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UNION SELECT"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004141; classtype:web-application-attack; sid:2004141; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order INSERT"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004142; classtype:web-application-attack; sid:2004142; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order DELETE"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004143; classtype:web-application-attack; sid:2004143; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ASCII"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004144; classtype:web-application-attack; sid:2004144; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE"; flow:established,to_server; uricontent:"/check_vote.php?"; nocase; uricontent:"order="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004145; classtype:web-application-attack; sid:2004145; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004147; classtype:web-application-attack; sid:2004147; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004152; classtype:web-application-attack; sid:2004152; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004153; classtype:web-application-attack; sid:2004153; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004154; classtype:web-application-attack; sid:2004154; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004155; classtype:web-application-attack; sid:2004155; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004156; classtype:web-application-attack; sid:2004156; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"title="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004157; classtype:web-application-attack; sid:2004157; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004158; classtype:web-application-attack; sid:2004158; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004159; classtype:web-application-attack; sid:2004159; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004160; classtype:web-application-attack; sid:2004160; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004161; classtype:web-application-attack; sid:2004161; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004162; classtype:web-application-attack; sid:2004162; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; content:"/News/page.asp?"; nocase; http_uri; content:"NewsID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004163; classtype:web-application-attack; sid:2004163; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c SELECT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004164; classtype:web-application-attack; sid:2004164; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UNION SELECT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004165; classtype:web-application-attack; sid:2004165; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c INSERT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004166; classtype:web-application-attack; sid:2004166; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c DELETE"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004167; classtype:web-application-attack; sid:2004167; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004169; classtype:web-application-attack; sid:2004169; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004170; classtype:web-application-attack; sid:2004170; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004171; classtype:web-application-attack; sid:2004171; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004172; classtype:web-application-attack; sid:2004172; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004173; classtype:web-application-attack; sid:2004173; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004174; classtype:web-application-attack; sid:2004174; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"image_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004175; classtype:web-application-attack; sid:2004175; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004176; classtype:web-application-attack; sid:2004176; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004177; classtype:web-application-attack; sid:2004177; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004178; classtype:web-application-attack; sid:2004178; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004179; classtype:web-application-attack; sid:2004179; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004180; classtype:web-application-attack; sid:2004180; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004181; classtype:web-application-attack; sid:2004181; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004182; classtype:web-application-attack; sid:2004182; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004183; classtype:web-application-attack; sid:2004183; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004184; classtype:web-application-attack; sid:2004184; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004185; classtype:web-application-attack; sid:2004185; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004186; classtype:web-application-attack; sid:2004186; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004187; classtype:web-application-attack; sid:2004187; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004188; classtype:web-application-attack; sid:2004188; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UNION SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004189; classtype:web-application-attack; sid:2004189; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id INSERT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004190; classtype:web-application-attack; sid:2004190; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id DELETE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004191; classtype:web-application-attack; sid:2004191; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id ASCII"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004192; classtype:web-application-attack; sid:2004192; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"news_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004193; classtype:web-application-attack; sid:2004193; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004194; classtype:web-application-attack; sid:2004194; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004195; classtype:web-application-attack; sid:2004195; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004196; classtype:web-application-attack; sid:2004196; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004197; classtype:web-application-attack; sid:2004197; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004198; classtype:web-application-attack; sid:2004198; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"news_cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004199; classtype:web-application-attack; sid:2004199; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004200; classtype:web-application-attack; sid:2004200; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004201; classtype:web-application-attack; sid:2004201; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id INSERT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004202; classtype:web-application-attack; sid:2004202; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id DELETE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004203; classtype:web-application-attack; sid:2004203; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id ASCII"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004204; classtype:web-application-attack; sid:2004204; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004205; classtype:web-application-attack; sid:2004205; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004206; classtype:web-application-attack; sid:2004206; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UNION SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004207; classtype:web-application-attack; sid:2004207; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id INSERT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004208; classtype:web-application-attack; sid:2004208; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id DELETE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004209; classtype:web-application-attack; sid:2004209; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id ASCII"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004210; classtype:web-application-attack; sid:2004210; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"topic_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004211; classtype:web-application-attack; sid:2004211; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004212; classtype:web-application-attack; sid:2004212; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UNION SELECT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004213; classtype:web-application-attack; sid:2004213; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id INSERT"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004214; classtype:web-application-attack; sid:2004214; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id DELETE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004215; classtype:web-application-attack; sid:2004215; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id ASCII"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004216; classtype:web-application-attack; sid:2004216; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE"; flow:established,to_server; uricontent:"/forums.php?"; nocase; uricontent:"post_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004217; classtype:web-application-attack; sid:2004217; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id SELECT"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004218; classtype:web-application-attack; sid:2004218; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UNION SELECT"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004219; classtype:web-application-attack; sid:2004219; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id INSERT"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004220; classtype:web-application-attack; sid:2004220; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id DELETE"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004221; classtype:web-application-attack; sid:2004221; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id ASCII"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004222; classtype:web-application-attack; sid:2004222; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE"; flow:established,to_server; uricontent:"/users.php?"; nocase; uricontent:"user_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004223; classtype:web-application-attack; sid:2004223; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp SELECT"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004224; classtype:web-application-attack; sid:2004224; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UNION SELECT"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004225; classtype:web-application-attack; sid:2004225; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp INSERT"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004226; classtype:web-application-attack; sid:2004226; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp DELETE"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004227; classtype:web-application-attack; sid:2004227; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp ASCII"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004228; classtype:web-application-attack; sid:2004228; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE"; flow:established,to_server; uricontent:"/functions/functions_filters.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004229; classtype:web-application-attack; sid:2004229; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name SELECT"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004230; classtype:web-application-attack; sid:2004230; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UNION SELECT"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004231; classtype:web-application-attack; sid:2004231; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name INSERT"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004232; classtype:web-application-attack; sid:2004232; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name DELETE"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004233; classtype:web-application-attack; sid:2004233; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004234; classtype:web-application-attack; sid:2004234; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004235; classtype:web-application-attack; sid:2004235; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004236; classtype:web-application-attack; sid:2004236; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004237; classtype:web-application-attack; sid:2004237; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004238; classtype:web-application-attack; sid:2004238; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004239; classtype:web-application-attack; sid:2004239; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; uricontent:"/News/page.asp?"; nocase; uricontent:"NewsID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004240; classtype:web-application-attack; sid:2004240; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip SELECT"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004241; classtype:web-application-attack; sid:2004241; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UNION SELECT"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004242; classtype:web-application-attack; sid:2004242; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip INSERT"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004243; classtype:web-application-attack; sid:2004243; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip DELETE"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004244; classtype:web-application-attack; sid:2004244; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ASCII"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004245; classtype:web-application-attack; sid:2004245; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE"; flow:established,to_server; uricontent:"/php-stats.recphp.php?"; nocase; uricontent:"ip="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004246; classtype:web-application-attack; sid:2004246; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php SELECT"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004247; classtype:web-application-attack; sid:2004247; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UNION SELECT"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004248; classtype:web-application-attack; sid:2004248; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php INSERT"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004249; classtype:web-application-attack; sid:2004249; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php DELETE"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004250; classtype:web-application-attack; sid:2004250; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php ASCII"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004251; classtype:web-application-attack; sid:2004251; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE"; flow:established,to_server; uricontent:"/usergroups.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004252; classtype:web-application-attack; sid:2004252; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004253; classtype:web-application-attack; sid:2004253; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004254; classtype:web-application-attack; sid:2004254; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004255; classtype:web-application-attack; sid:2004255; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004256; classtype:web-application-attack; sid:2004256; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004257; classtype:web-application-attack; sid:2004257; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; content:"/comments.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004258; classtype:web-application-attack; sid:2004258; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid SELECT"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004259; classtype:web-application-attack; sid:2004259; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UNION SELECT"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004260; classtype:web-application-attack; sid:2004260; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid INSERT"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004261; classtype:web-application-attack; sid:2004261; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid DELETE"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004262; classtype:web-application-attack; sid:2004262; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid ASCII"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004263; classtype:web-application-attack; sid:2004263; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE"; flow:established,to_server; uricontent:"/post.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004264; classtype:web-application-attack; sid:2004264; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004265; classtype:web-application-attack; sid:2004265; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004266; classtype:web-application-attack; sid:2004266; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004267; classtype:web-application-attack; sid:2004267; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004268; classtype:web-application-attack; sid:2004268; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004269; classtype:web-application-attack; sid:2004269; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x["; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004270; classtype:web-application-attack; sid:2004270; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004271; classtype:web-application-attack; sid:2004271; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004272; classtype:web-application-attack; sid:2004272; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004273; classtype:web-application-attack; sid:2004273; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004274; classtype:web-application-attack; sid:2004274; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004275; classtype:web-application-attack; sid:2004275; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004276; classtype:web-application-attack; sid:2004276; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004277; classtype:web-application-attack; sid:2004277; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004278; classtype:web-application-attack; sid:2004278; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004279; classtype:web-application-attack; sid:2004279; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004280; classtype:web-application-attack; sid:2004280; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004281; classtype:web-application-attack; sid:2004281; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"productId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004282; classtype:web-application-attack; sid:2004282; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004283; classtype:web-application-attack; sid:2004283; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004284; classtype:web-application-attack; sid:2004284; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004285; classtype:web-application-attack; sid:2004285; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004286; classtype:web-application-attack; sid:2004286; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004287; classtype:web-application-attack; sid:2004287; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"sk="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004288; classtype:web-application-attack; sid:2004288; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004289; classtype:web-application-attack; sid:2004289; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004290; classtype:web-application-attack; sid:2004290; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004291; classtype:web-application-attack; sid:2004291; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004292; classtype:web-application-attack; sid:2004292; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004293; classtype:web-application-attack; sid:2004293; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004294; classtype:web-application-attack; sid:2004294; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004295; classtype:web-application-attack; sid:2004295; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004297; classtype:web-application-attack; sid:2004297; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004298; classtype:web-application-attack; sid:2004298; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004299; classtype:web-application-attack; sid:2004299; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004300; classtype:web-application-attack; sid:2004300; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004301; classtype:web-application-attack; sid:2004301; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004302; classtype:web-application-attack; sid:2004302; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004303; classtype:web-application-attack; sid:2004303; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004304; classtype:web-application-attack; sid:2004304; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004305; classtype:web-application-attack; sid:2004305; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE"; flow:established,to_server; content:"/order-track.php?"; nocase; http_uri; content:"orderNo="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004306; classtype:web-application-attack; sid:2004306; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004307; classtype:web-application-attack; sid:2004307; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004308; classtype:web-application-attack; sid:2004308; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004309; classtype:web-application-attack; sid:2004309; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004310; classtype:web-application-attack; sid:2004310; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004311; classtype:web-application-attack; sid:2004311; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004312; classtype:web-application-attack; sid:2004312; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004313; classtype:web-application-attack; sid:2004313; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004314; classtype:web-application-attack; sid:2004314; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004315; classtype:web-application-attack; sid:2004315; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004316; classtype:web-application-attack; sid:2004316; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004317; classtype:web-application-attack; sid:2004317; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004318; classtype:web-application-attack; sid:2004318; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004319; classtype:web-application-attack; sid:2004319; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UNION SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004320; classtype:web-application-attack; sid:2004320; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid INSERT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004321; classtype:web-application-attack; sid:2004321; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid DELETE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004322; classtype:web-application-attack; sid:2004322; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004323; classtype:web-application-attack; sid:2004323; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004324; classtype:web-application-attack; sid:2004324; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang SELECT"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004325; classtype:web-application-attack; sid:2004325; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UNION SELECT"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004326; classtype:web-application-attack; sid:2004326; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang INSERT"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004327; classtype:web-application-attack; sid:2004327; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang DELETE"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004328; classtype:web-application-attack; sid:2004328; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang ASCII"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004329; classtype:web-application-attack; sid:2004329; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE"; flow:established,to_server; uricontent:"/mainfile.php?"; nocase; uricontent:"lang="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004330; classtype:web-application-attack; sid:2004330; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004331; classtype:web-application-attack; sid:2004331; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004332; classtype:web-application-attack; sid:2004332; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004333; classtype:web-application-attack; sid:2004333; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004334; classtype:web-application-attack; sid:2004334; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004335; classtype:web-application-attack; sid:2004335; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"layout="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004336; classtype:web-application-attack; sid:2004336; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004337; classtype:web-application-attack; sid:2004337; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004338; classtype:web-application-attack; sid:2004338; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004339; classtype:web-application-attack; sid:2004339; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004340; classtype:web-application-attack; sid:2004340; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004341; classtype:web-application-attack; sid:2004341; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"author="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004342; classtype:web-application-attack; sid:2004342; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004343; classtype:web-application-attack; sid:2004343; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004344; classtype:web-application-attack; sid:2004344; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004345; classtype:web-application-attack; sid:2004345; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004346; classtype:web-application-attack; sid:2004346; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004347; classtype:web-application-attack; sid:2004347; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; uricontent:"/devami.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004348; classtype:web-application-attack; sid:2004348; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id SELECT"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004349; classtype:web-application-attack; sid:2004349; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004350; classtype:web-application-attack; sid:2004350; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id INSERT"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004351; classtype:web-application-attack; sid:2004351; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id DELETE"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004352; classtype:web-application-attack; sid:2004352; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id ASCII"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004353; classtype:web-application-attack; sid:2004353; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE"; flow:established,to_server; content:"/userdetail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004354; classtype:web-application-attack; sid:2004354; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004355; classtype:web-application-attack; sid:2004355; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UNION SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004356; classtype:web-application-attack; sid:2004356; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id INSERT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004357; classtype:web-application-attack; sid:2004357; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id DELETE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004358; classtype:web-application-attack; sid:2004358; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id ASCII"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004359; classtype:web-application-attack; sid:2004359; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004360; classtype:web-application-attack; sid:2004360; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id SELECT"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004361; classtype:web-application-attack; sid:2004361; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UNION SELECT"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004362; classtype:web-application-attack; sid:2004362; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id INSERT"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004363; classtype:web-application-attack; sid:2004363; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id ASCII"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004365; classtype:web-application-attack; sid:2004365; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE"; flow:established,to_server; content:"/detail.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004366; classtype:web-application-attack; sid:2004366; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004367; classtype:web-application-attack; sid:2004367; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UNION SELECT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004368; classtype:web-application-attack; sid:2004368; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url INSERT"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004369; classtype:web-application-attack; sid:2004369; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url DELETE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004370; classtype:web-application-attack; sid:2004370; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url ASCII"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004371; classtype:web-application-attack; sid:2004371; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE"; flow:established,to_server; content:"/jump.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004372; classtype:web-application-attack; sid:2004372; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004373; classtype:web-application-attack; sid:2004373; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004374; classtype:web-application-attack; sid:2004374; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004375; classtype:web-application-attack; sid:2004375; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004376; classtype:web-application-attack; sid:2004376; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004377; classtype:web-application-attack; sid:2004377; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004378; classtype:web-application-attack; sid:2004378; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004379; classtype:web-application-attack; sid:2004379; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004380; classtype:web-application-attack; sid:2004380; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004381; classtype:web-application-attack; sid:2004381; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004382; classtype:web-application-attack; sid:2004382; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004383; classtype:web-application-attack; sid:2004383; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"list="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004384; classtype:web-application-attack; sid:2004384; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id SELECT"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004385; classtype:web-application-attack; sid:2004385; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004386; classtype:web-application-attack; sid:2004386; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id INSERT"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004387; classtype:web-application-attack; sid:2004387; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id DELETE"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004388; classtype:web-application-attack; sid:2004388; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ASCII"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004389; classtype:web-application-attack; sid:2004389; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE"; flow:established,to_server; content:"/goster.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004390; classtype:web-application-attack; sid:2004390; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori SELECT"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004397; classtype:web-application-attack; sid:2004397; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UNION SELECT"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004398; classtype:web-application-attack; sid:2004398; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori INSERT"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004399; classtype:web-application-attack; sid:2004399; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori DELETE"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004400; classtype:web-application-attack; sid:2004400; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ASCII"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004401; classtype:web-application-attack; sid:2004401; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE"; flow:established,to_server; content:"/kategori.asp?"; nocase; http_uri; content:"kategori="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004402; classtype:web-application-attack; sid:2004402; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004403; classtype:web-application-attack; sid:2004403; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004404; classtype:web-application-attack; sid:2004404; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004405; classtype:web-application-attack; sid:2004405; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004406; classtype:web-application-attack; sid:2004406; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004407; classtype:web-application-attack; sid:2004407; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE"; flow:established,to_server; uricontent:"/wp-admin/admin-functions.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004408; classtype:web-application-attack; sid:2004408; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004409; classtype:web-application-attack; sid:2004409; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004410; classtype:web-application-attack; sid:2004410; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004411; classtype:web-application-attack; sid:2004411; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004412; classtype:web-application-attack; sid:2004412; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004413; classtype:web-application-attack; sid:2004413; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004414; classtype:web-application-attack; sid:2004414; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004415; classtype:web-application-attack; sid:2004415; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004416; classtype:web-application-attack; sid:2004416; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004417; classtype:web-application-attack; sid:2004417; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004418; classtype:web-application-attack; sid:2004418; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004419; classtype:web-application-attack; sid:2004419; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"serendipity[multiCat]["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004420; classtype:web-application-attack; sid:2004420; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre SELECT"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004421; classtype:web-application-attack; sid:2004421; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UNION SELECT"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004422; classtype:web-application-attack; sid:2004422; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre INSERT"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004423; classtype:web-application-attack; sid:2004423; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre DELETE"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004424; classtype:web-application-attack; sid:2004424; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ASCII"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004425; classtype:web-application-attack; sid:2004425; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE"; flow:established,to_server; content:"/giris_yap.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004426; classtype:web-application-attack; sid:2004426; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004427; classtype:web-application-attack; sid:2004427; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004428; classtype:web-application-attack; sid:2004428; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004429; classtype:web-application-attack; sid:2004429; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004430; classtype:web-application-attack; sid:2004430; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004431; classtype:web-application-attack; sid:2004431; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE"; flow:established,to_server; content:"/moscomment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004432; classtype:web-application-attack; sid:2004432; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004433; classtype:web-application-attack; sid:2004433; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004434; classtype:web-application-attack; sid:2004434; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004435; classtype:web-application-attack; sid:2004435; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004436; classtype:web-application-attack; sid:2004436; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004437; classtype:web-application-attack; sid:2004437; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE"; flow:established,to_server; content:"/com_comment.php?"; nocase; http_uri; content:"mcname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004438; classtype:web-application-attack; sid:2004438; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ASCII"; flow:established,to_server; uricontent:"/forum/pop_up_member_search.asp?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004439; classtype:web-application-attack; sid:2004439; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; content:"User-Agent|3a| ExampleDL"; http_header; reference:url,doc.emergingthreats.net/2004440; classtype:trojan-activity; sid:2004440; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (hhh)"; flow:established,to_server; content:"User-Agent|3a| hhh|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2004442; classtype:trojan-activity; sid:2004442; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; content:"User-Agent|3a| KKTone"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp SELECT"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004450; classtype:web-application-attack; sid:2004450; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UNION SELECT"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004451; classtype:web-application-attack; sid:2004451; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp INSERT"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004452; classtype:web-application-attack; sid:2004452; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp DELETE"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004453; classtype:web-application-attack; sid:2004453; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp ASCII"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004454; classtype:web-application-attack; sid:2004454; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE"; flow:established,to_server; uricontent:"/OmegaMw7.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004455; classtype:web-application-attack; sid:2004455; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004456; classtype:web-application-attack; sid:2004456; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004457; classtype:web-application-attack; sid:2004457; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004458; classtype:web-application-attack; sid:2004458; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004459; classtype:web-application-attack; sid:2004459; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004460; classtype:web-application-attack; sid:2004460; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004461; classtype:web-application-attack; sid:2004461; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp SELECT"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004463; classtype:web-application-attack; sid:2004463; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UNION SELECT"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004464; classtype:web-application-attack; sid:2004464; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp INSERT"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004465; classtype:web-application-attack; sid:2004465; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp DELETE"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004466; classtype:web-application-attack; sid:2004466; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ASCII"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004467; classtype:web-application-attack; sid:2004467; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE"; flow:established,to_server; uricontent:"/cgi-bin/reorder2.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004468; classtype:web-application-attack; sid:2004468; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004469; classtype:web-application-attack; sid:2004469; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004470; classtype:web-application-attack; sid:2004470; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004471; classtype:web-application-attack; sid:2004471; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004472; classtype:web-application-attack; sid:2004472; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004473; classtype:web-application-attack; sid:2004473; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004474; classtype:web-application-attack; sid:2004474; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004475; classtype:web-application-attack; sid:2004475; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004476; classtype:web-application-attack; sid:2004476; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004477; classtype:web-application-attack; sid:2004477; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004478; classtype:web-application-attack; sid:2004478; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"year="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004479; classtype:web-application-attack; sid:2004479; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq SELECT"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004480; classtype:web-application-attack; sid:2004480; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UNION SELECT"; flow:established,to_server; uricontent:"/G_Display.php?"; nocase; uricontent:"iCategoryUnq="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004481; classtype:web-application-attack; sid:2004481; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq INSERT"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004482; classtype:web-application-attack; sid:2004482; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq DELETE"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004483; classtype:web-application-attack; sid:2004483; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ASCII"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004484; classtype:web-application-attack; sid:2004484; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE"; flow:established,to_server; content:"/G_Display.php?"; nocase; http_uri; content:"iCategoryUnq="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004485; classtype:web-application-attack; sid:2004485; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID SELECT"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004486; classtype:web-application-attack; sid:2004486; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UNION SELECT"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004487; classtype:web-application-attack; sid:2004487; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID INSERT"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004488; classtype:web-application-attack; sid:2004488; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID DELETE"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004489; classtype:web-application-attack; sid:2004489; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ASCII"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004490; classtype:web-application-attack; sid:2004490; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE"; flow:established,to_server; content:"/Search/DisplayResults.php?"; nocase; http_uri; content:"iSearchID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004491; classtype:web-application-attack; sid:2004491; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004493; classtype:web-application-attack; sid:2004493; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004494; classtype:web-application-attack; sid:2004494; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004495; classtype:web-application-attack; sid:2004495; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004496; classtype:web-application-attack; sid:2004496; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004497; classtype:web-application-attack; sid:2004497; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"name="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004498; classtype:web-application-attack; sid:2004498; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004499; classtype:web-application-attack; sid:2004499; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004500; classtype:web-application-attack; sid:2004500; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004501; classtype:web-application-attack; sid:2004501; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004502; classtype:web-application-attack; sid:2004502; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004503; classtype:web-application-attack; sid:2004503; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"country="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004504; classtype:web-application-attack; sid:2004504; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004505; classtype:web-application-attack; sid:2004505; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004506; classtype:web-application-attack; sid:2004506; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004507; classtype:web-application-attack; sid:2004507; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004508; classtype:web-application-attack; sid:2004508; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004509; classtype:web-application-attack; sid:2004509; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"email="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004510; classtype:web-application-attack; sid:2004510; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004511; classtype:web-application-attack; sid:2004511; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004512; classtype:web-application-attack; sid:2004512; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004513; classtype:web-application-attack; sid:2004513; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004514; classtype:web-application-attack; sid:2004514; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004515; classtype:web-application-attack; sid:2004515; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"website="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004516; classtype:web-application-attack; sid:2004516; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004517; classtype:web-application-attack; sid:2004517; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UNION SELECT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004518; classtype:web-application-attack; sid:2004518; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message INSERT"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004519; classtype:web-application-attack; sid:2004519; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message DELETE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004520; classtype:web-application-attack; sid:2004520; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message ASCII"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004521; classtype:web-application-attack; sid:2004521; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE"; flow:established,to_server; uricontent:"/add2.php?"; nocase; uricontent:"message="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004522; classtype:web-application-attack; sid:2004522; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004523; classtype:web-application-attack; sid:2004523; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004524; classtype:web-application-attack; sid:2004524; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004525; classtype:web-application-attack; sid:2004525; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004526; classtype:web-application-attack; sid:2004526; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004527; classtype:web-application-attack; sid:2004527; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE"; flow:established,to_server; content:"/guestbook.php?"; nocase; http_uri; content:"country="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004528; classtype:web-application-attack; sid:2004528; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; distance:1; http_uri; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; pcre:"/UNION\s+?SELECT/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; pcre:"/UNION\s+?SELECT/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UNION SELECT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004542; classtype:web-application-attack; sid:2004542; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid INSERT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004543; classtype:web-application-attack; sid:2004543; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid DELETE"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004544; classtype:web-application-attack; sid:2004544; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ASCII"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004545; classtype:web-application-attack; sid:2004545; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; classtype:web-application-attack; sid:2004546; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id SELECT"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004547; classtype:web-application-attack; sid:2004547; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id INSERT"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004548; classtype:web-application-attack; sid:2004548; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id DELETE"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004549; classtype:web-application-attack; sid:2004549; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id ASCII"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004550; classtype:web-application-attack; sid:2004550; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004551; classtype:web-application-attack; sid:2004551; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php SELECT"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004600; classtype:web-application-attack; sid:2004600; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UNION SELECT"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004601; classtype:web-application-attack; sid:2004601; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php INSERT"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004602; classtype:web-application-attack; sid:2004602; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php DELETE"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004603; classtype:web-application-attack; sid:2004603; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php ASCII"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004604; classtype:web-application-attack; sid:2004604; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE"; flow:established,to_server; uricontent:"/inc/class_users.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004605; classtype:web-application-attack; sid:2004605; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004606; classtype:web-application-attack; sid:2004606; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004607; classtype:web-application-attack; sid:2004607; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004608; classtype:web-application-attack; sid:2004608; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004609; classtype:web-application-attack; sid:2004609; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004610; classtype:web-application-attack; sid:2004610; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"c="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004611; classtype:web-application-attack; sid:2004611; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004612; classtype:web-application-attack; sid:2004612; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004613; classtype:web-application-attack; sid:2004613; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004614; classtype:web-application-attack; sid:2004614; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004615; classtype:web-application-attack; sid:2004615; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004616; classtype:web-application-attack; sid:2004616; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE"; flow:established,to_server; content:"/diary.php?"; nocase; http_uri; content:"delete="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004617; classtype:web-application-attack; sid:2004617; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment SELECT"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004618; classtype:web-application-attack; sid:2004618; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UNION SELECT"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004619; classtype:web-application-attack; sid:2004619; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment INSERT"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004620; classtype:web-application-attack; sid:2004620; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment DELETE"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004621; classtype:web-application-attack; sid:2004621; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ASCII"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004622; classtype:web-application-attack; sid:2004622; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE"; flow:established,to_server; uricontent:"/viewimage.php?"; nocase; uricontent:"editcomment="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004623; classtype:web-application-attack; sid:2004623; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank SELECT"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004624; classtype:web-application-attack; sid:2004624; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UNION SELECT"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004625; classtype:web-application-attack; sid:2004625; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank INSERT"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004626; classtype:web-application-attack; sid:2004626; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank DELETE"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004627; classtype:web-application-attack; sid:2004627; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank ASCII"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004628; classtype:web-application-attack; sid:2004628; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"rank="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004629; classtype:web-application-attack; sid:2004629; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UNION SELECT"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004630; classtype:web-application-attack; sid:2004630; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id INSERT"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004631; classtype:web-application-attack; sid:2004631; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id DELETE"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004632; classtype:web-application-attack; sid:2004632; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ASCII"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004633; classtype:web-application-attack; sid:2004633; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004634; classtype:web-application-attack; sid:2004634; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004635; classtype:web-application-attack; sid:2004635; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004636; classtype:web-application-attack; sid:2004636; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004637; classtype:web-application-attack; sid:2004637; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004638; classtype:web-application-attack; sid:2004638; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004639; classtype:web-application-attack; sid:2004639; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"epi="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004640; classtype:web-application-attack; sid:2004640; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004641; classtype:web-application-attack; sid:2004641; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004642; classtype:web-application-attack; sid:2004642; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004643; classtype:web-application-attack; sid:2004643; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004644; classtype:web-application-attack; sid:2004644; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004645; classtype:web-application-attack; sid:2004645; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"news_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004646; classtype:web-application-attack; sid:2004646; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id SELECT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004647; classtype:web-application-attack; sid:2004647; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UNION SELECT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004648; classtype:web-application-attack; sid:2004648; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id INSERT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004649; classtype:web-application-attack; sid:2004649; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id DELETE"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004650; classtype:web-application-attack; sid:2004650; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ASCII"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004651; classtype:web-application-attack; sid:2004651; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004652; classtype:web-application-attack; sid:2004652; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004654; classtype:web-application-attack; sid:2004654; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004655; classtype:web-application-attack; sid:2004655; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004656; classtype:web-application-attack; sid:2004656; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004657; classtype:web-application-attack; sid:2004657; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004658; classtype:web-application-attack; sid:2004658; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE"; flow:established,to_server; uricontent:"/xmlrpc.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004659; classtype:web-application-attack; sid:2004659; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004660; classtype:web-application-attack; sid:2004660; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004661; classtype:web-application-attack; sid:2004661; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004662; classtype:web-application-attack; sid:2004662; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004663; classtype:web-application-attack; sid:2004663; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004664; classtype:web-application-attack; sid:2004664; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"categoria="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004665; classtype:web-application-attack; sid:2004665; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids SELECT"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004666; classtype:web-application-attack; sid:2004666; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UNION SELECT"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004667; classtype:web-application-attack; sid:2004667; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids INSERT"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004668; classtype:web-application-attack; sid:2004668; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids DELETE"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004669; classtype:web-application-attack; sid:2004669; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ASCII"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004670; classtype:web-application-attack; sid:2004670; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE"; flow:established,to_server; content:"/inlinemod.php?"; nocase; http_uri; content:"postids="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004671; classtype:web-application-attack; sid:2004671; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug SELECT"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004672; classtype:web-application-attack; sid:2004672; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UNION SELECT"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004673; classtype:web-application-attack; sid:2004673; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug INSERT"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004674; classtype:web-application-attack; sid:2004674; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug DELETE"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004675; classtype:web-application-attack; sid:2004675; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ASCII"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004676; classtype:web-application-attack; sid:2004676; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE"; flow:established,to_server; uricontent:"/ViewReport.php?"; nocase; uricontent:"bug="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004677; classtype:web-application-attack; sid:2004677; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s SELECT"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004678; classtype:web-application-attack; sid:2004678; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s INSERT"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004679; classtype:web-application-attack; sid:2004679; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s DELETE"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004680; classtype:web-application-attack; sid:2004680; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ASCII"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004681; classtype:web-application-attack; sid:2004681; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004682; classtype:web-application-attack; sid:2004682; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004683; classtype:web-application-attack; sid:2004683; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004684; classtype:web-application-attack; sid:2004684; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004685; classtype:web-application-attack; sid:2004685; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004686; classtype:web-application-attack; sid:2004686; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004687; classtype:web-application-attack; sid:2004687; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"mid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004688; classtype:web-application-attack; sid:2004688; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004689; classtype:web-application-attack; sid:2004689; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004690; classtype:web-application-attack; sid:2004690; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004691; classtype:web-application-attack; sid:2004691; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004692; classtype:web-application-attack; sid:2004692; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004693; classtype:web-application-attack; sid:2004693; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004694; classtype:web-application-attack; sid:2004694; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004695; classtype:web-application-attack; sid:2004695; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004696; classtype:web-application-attack; sid:2004696; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004697; classtype:web-application-attack; sid:2004697; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004698; classtype:web-application-attack; sid:2004698; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004699; classtype:web-application-attack; sid:2004699; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE"; flow:established,to_server; uricontent:"/include.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004700; classtype:web-application-attack; sid:2004700; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004701; classtype:web-application-attack; sid:2004701; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UNION SELECT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004702; classtype:web-application-attack; sid:2004702; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php DELETE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004703; classtype:web-application-attack; sid:2004703; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php ASCII"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004704; classtype:web-application-attack; sid:2004704; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004705; classtype:web-application-attack; sid:2004705; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004706; classtype:web-application-attack; sid:2004706; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004707; classtype:web-application-attack; sid:2004707; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004708; classtype:web-application-attack; sid:2004708; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004709; classtype:web-application-attack; sid:2004709; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE"; flow:established,to_server; content:"/admin.php?"; nocase; http_uri; content:"uploadimage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004710; classtype:web-application-attack; sid:2004710; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004711; classtype:web-application-attack; sid:2004711; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004712; classtype:web-application-attack; sid:2004712; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004713; classtype:web-application-attack; sid:2004713; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004714; classtype:web-application-attack; sid:2004714; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004715; classtype:web-application-attack; sid:2004715; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004716; classtype:web-application-attack; sid:2004716; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004717; classtype:web-application-attack; sid:2004717; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004718; classtype:web-application-attack; sid:2004718; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004719; classtype:web-application-attack; sid:2004719; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004720; classtype:web-application-attack; sid:2004720; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004721; classtype:web-application-attack; sid:2004721; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; content:"/section/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004723; classtype:web-application-attack; sid:2004723; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID SELECT"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004724; classtype:web-application-attack; sid:2004724; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UNION SELECT"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004725; classtype:web-application-attack; sid:2004725; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID INSERT"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004726; classtype:web-application-attack; sid:2004726; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID DELETE"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004727; classtype:web-application-attack; sid:2004727; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ASCII"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004728; classtype:web-application-attack; sid:2004728; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE"; flow:established,to_server; content:"/system/index.php?"; nocase; http_uri; content:"PHPSESSID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004729; classtype:web-application-attack; sid:2004729; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php SELECT"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004736; classtype:web-application-attack; sid:2004736; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UNION SELECT"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004737; classtype:web-application-attack; sid:2004737; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php INSERT"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004738; classtype:web-application-attack; sid:2004738; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php DELETE"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004739; classtype:web-application-attack; sid:2004739; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php ASCII"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004740; classtype:web-application-attack; sid:2004740; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE"; flow:established,to_server; uricontent:"/includes/nsbypass.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004741; classtype:web-application-attack; sid:2004741; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004742; classtype:web-application-attack; sid:2004742; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"UNION"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004743; classtype:web-application-attack; sid:2004743; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004744; classtype:web-application-attack; sid:2004744; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004745; classtype:web-application-attack; sid:2004745; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004746; classtype:web-application-attack; sid:2004746; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE"; flow:established,to_server; content:"/result.php?"; nocase; http_uri; content:"surv="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004747; classtype:web-application-attack; sid:2004747; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004748; classtype:web-application-attack; sid:2004748; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UNION SELECT"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004749; classtype:web-application-attack; sid:2004749; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic INSERT"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004750; classtype:web-application-attack; sid:2004750; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic DELETE"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004751; classtype:web-application-attack; sid:2004751; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic ASCII"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004752; classtype:web-application-attack; sid:2004752; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE"; flow:established,to_server; uricontent:"/printview.php?"; nocase; uricontent:"topic="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004753; classtype:web-application-attack; sid:2004753; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004754; classtype:web-application-attack; sid:2004754; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004755; classtype:web-application-attack; sid:2004755; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004756; classtype:web-application-attack; sid:2004756; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004757; classtype:web-application-attack; sid:2004757; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004758; classtype:web-application-attack; sid:2004758; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"strid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004759; classtype:web-application-attack; sid:2004759; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id SELECT"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004760; classtype:web-application-attack; sid:2004760; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UNION SELECT"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004761; classtype:web-application-attack; sid:2004761; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id INSERT"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004762; classtype:web-application-attack; sid:2004762; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id DELETE"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004763; classtype:web-application-attack; sid:2004763; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id ASCII"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004764; classtype:web-application-attack; sid:2004764; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE"; flow:established,to_server; uricontent:"/filecheck.php?"; nocase; uricontent:"id["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004765; classtype:web-application-attack; sid:2004765; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004766; classtype:web-application-attack; sid:2004766; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004767; classtype:web-application-attack; sid:2004767; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004768; classtype:web-application-attack; sid:2004768; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004769; classtype:web-application-attack; sid:2004769; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004770; classtype:web-application-attack; sid:2004770; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE"; flow:established,to_server; content:"/includes/mambo.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004771; classtype:web-application-attack; sid:2004771; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id SELECT"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004772; classtype:web-application-attack; sid:2004772; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UNION SELECT"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004773; classtype:web-application-attack; sid:2004773; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id INSERT"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004774; classtype:web-application-attack; sid:2004774; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id DELETE"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004775; classtype:web-application-attack; sid:2004775; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id ASCII"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004776; classtype:web-application-attack; sid:2004776; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE"; flow:established,to_server; uricontent:"/connexion.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004778; classtype:web-application-attack; sid:2004778; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username SELECT"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004779; classtype:web-application-attack; sid:2004779; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UNION SELECT"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004780; classtype:web-application-attack; sid:2004780; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username INSERT"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004781; classtype:web-application-attack; sid:2004781; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username DELETE"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004782; classtype:web-application-attack; sid:2004782; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username ASCII"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004783; classtype:web-application-attack; sid:2004783; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE"; flow:established,to_server; uricontent:"/logon_user.php?"; nocase; uricontent:"username="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004784; classtype:web-application-attack; sid:2004784; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username SELECT"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004785; classtype:web-application-attack; sid:2004785; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UNION SELECT"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004786; classtype:web-application-attack; sid:2004786; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username INSERT"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004787; classtype:web-application-attack; sid:2004787; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username DELETE"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004788; classtype:web-application-attack; sid:2004788; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username ASCII"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004789; classtype:web-application-attack; sid:2004789; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE"; flow:established,to_server; uricontent:"/update_profile.php?"; nocase; uricontent:"username="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004790; classtype:web-application-attack; sid:2004790; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004797; classtype:web-application-attack; sid:2004797; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UNION SELECT"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004798; classtype:web-application-attack; sid:2004798; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004799; classtype:web-application-attack; sid:2004799; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004800; classtype:web-application-attack; sid:2004800; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004801; classtype:web-application-attack; sid:2004801; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE"; flow:established,to_server; content:"/classes/class_session.php?"; nocase; http_uri; content:"CLIENT_IP="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004802; classtype:web-application-attack; sid:2004802; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id SELECT"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004803; classtype:web-application-attack; sid:2004803; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UNION SELECT"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004804; classtype:web-application-attack; sid:2004804; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id INSERT"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004805; classtype:web-application-attack; sid:2004805; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id DELETE"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004806; classtype:web-application-attack; sid:2004806; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ASCII"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004807; classtype:web-application-attack; sid:2004807; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE"; flow:established,to_server; uricontent:"/functions.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004808; classtype:web-application-attack; sid:2004808; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav SELECT"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004809; classtype:web-application-attack; sid:2004809; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UNION SELECT"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004810; classtype:web-application-attack; sid:2004810; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav INSERT"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004811; classtype:web-application-attack; sid:2004811; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav DELETE"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004812; classtype:web-application-attack; sid:2004812; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ASCII"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004813; classtype:web-application-attack; sid:2004813; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE"; flow:established,to_server; content:"/thumbnails.php?"; nocase; http_uri; content:"cpg131_fav="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004815; classtype:web-application-attack; sid:2004815; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004816; classtype:web-application-attack; sid:2004816; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004817; classtype:web-application-attack; sid:2004817; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004818; classtype:web-application-attack; sid:2004818; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004819; classtype:web-application-attack; sid:2004819; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004820; classtype:web-application-attack; sid:2004820; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"category="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004821; classtype:web-application-attack; sid:2004821; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat SELECT"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004822; classtype:web-application-attack; sid:2004822; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UNION SELECT"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004823; classtype:web-application-attack; sid:2004823; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat INSERT"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004824; classtype:web-application-attack; sid:2004824; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat DELETE"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004825; classtype:web-application-attack; sid:2004825; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat ASCII"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004826; classtype:web-application-attack; sid:2004826; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE"; flow:established,to_server; uricontent:"/directory.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004827; classtype:web-application-attack; sid:2004827; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd SELECT"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004828; classtype:web-application-attack; sid:2004828; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UNION SELECT"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004829; classtype:web-application-attack; sid:2004829; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd INSERT"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004830; classtype:web-application-attack; sid:2004830; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd DELETE"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004831; classtype:web-application-attack; sid:2004831; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd ASCII"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004832; classtype:web-application-attack; sid:2004832; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE"; flow:established,to_server; content:"/admin/config.php?"; nocase; http_uri; content:"sqlcmd="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004833; classtype:web-application-attack; sid:2004833; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004834; classtype:web-application-attack; sid:2004834; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004835; classtype:web-application-attack; sid:2004835; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004836; classtype:web-application-attack; sid:2004836; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004837; classtype:web-application-attack; sid:2004837; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004839; classtype:web-application-attack; sid:2004839; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor SELECT"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004840; classtype:web-application-attack; sid:2004840; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UNION SELECT"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004841; classtype:web-application-attack; sid:2004841; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor INSERT"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004842; classtype:web-application-attack; sid:2004842; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor DELETE"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004843; classtype:web-application-attack; sid:2004843; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor ASCII"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004844; classtype:web-application-attack; sid:2004844; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"bgcolor="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004845; classtype:web-application-attack; sid:2004845; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004846; classtype:web-application-attack; sid:2004846; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004847; classtype:web-application-attack; sid:2004847; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004848; classtype:web-application-attack; sid:2004848; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004849; classtype:web-application-attack; sid:2004849; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004850; classtype:web-application-attack; sid:2004850; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004851; classtype:web-application-attack; sid:2004851; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UNION SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004852; classtype:web-application-attack; sid:2004852; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id INSERT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004853; classtype:web-application-attack; sid:2004853; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id DELETE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004854; classtype:web-application-attack; sid:2004854; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id ASCII"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004855; classtype:web-application-attack; sid:2004855; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004856; classtype:web-application-attack; sid:2004856; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004857; classtype:web-application-attack; sid:2004857; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UNION SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004858; classtype:web-application-attack; sid:2004858; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album INSERT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004859; classtype:web-application-attack; sid:2004859; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album DELETE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004860; classtype:web-application-attack; sid:2004860; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album ASCII"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004861; classtype:web-application-attack; sid:2004861; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"album="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004862; classtype:web-application-attack; sid:2004862; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004863; classtype:web-application-attack; sid:2004863; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UNION SELECT"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004864; classtype:web-application-attack; sid:2004864; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id INSERT"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004865; classtype:web-application-attack; sid:2004865; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004866; classtype:web-application-attack; sid:2004866; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004867; classtype:web-application-attack; sid:2004867; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE"; flow:established,to_server; uricontent:"/pop_profile.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004868; classtype:web-application-attack; sid:2004868; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id SELECT"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004869; classtype:web-application-attack; sid:2004869; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UNION SELECT"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004870; classtype:web-application-attack; sid:2004870; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id INSERT"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004871; classtype:web-application-attack; sid:2004871; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id DELETE"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004872; classtype:web-application-attack; sid:2004872; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id ASCII"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004873; classtype:web-application-attack; sid:2004873; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE"; flow:established,to_server; uricontent:"/h_goster.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004874; classtype:web-application-attack; sid:2004874; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID SELECT"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004875; classtype:web-application-attack; sid:2004875; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UNION SELECT"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004876; classtype:web-application-attack; sid:2004876; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID INSERT"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004877; classtype:web-application-attack; sid:2004877; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID DELETE"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004878; classtype:web-application-attack; sid:2004878; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ASCII"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004879; classtype:web-application-attack; sid:2004879; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE"; flow:established,to_server; content:"/inc_listnews.asp?"; nocase; http_uri; content:"CAT_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004880; classtype:web-application-attack; sid:2004880; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004881; classtype:web-application-attack; sid:2004881; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004882; classtype:web-application-attack; sid:2004882; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004883; classtype:web-application-attack; sid:2004883; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004884; classtype:web-application-attack; sid:2004884; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004885; classtype:web-application-attack; sid:2004885; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"showonly="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004886; classtype:web-application-attack; sid:2004886; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id SELECT"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004887; classtype:web-application-attack; sid:2004887; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UNION SELECT"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004888; classtype:web-application-attack; sid:2004888; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id INSERT"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004889; classtype:web-application-attack; sid:2004889; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id DELETE"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004890; classtype:web-application-attack; sid:2004890; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ASCII"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004891; classtype:web-application-attack; sid:2004891; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE"; flow:established,to_server; content:"/HaberDetay.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004892; classtype:web-application-attack; sid:2004892; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004893; classtype:web-application-attack; sid:2004893; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri;content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; classtype:web-application-attack; sid:2004894; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004895; classtype:web-application-attack; sid:2004895; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid DELETE"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004896; classtype:web-application-attack; sid:2004896; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ASCII"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004897; classtype:web-application-attack; sid:2004897; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE"; flow:established,to_server; content:"/rss.asp?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004898; classtype:web-application-attack; sid:2004898; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid SELECT"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004899; classtype:web-application-attack; sid:2004899; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UNION SELECT"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004900; classtype:web-application-attack; sid:2004900; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid INSERT"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004901; classtype:web-application-attack; sid:2004901; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid DELETE"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004902; classtype:web-application-attack; sid:2004902; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid ASCII"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004903; classtype:web-application-attack; sid:2004903; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE"; flow:established,to_server; uricontent:"/nickpage.php?"; nocase; uricontent:"npid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004904; classtype:web-application-attack; sid:2004904; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id SELECT"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004905; classtype:web-application-attack; sid:2004905; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UNION SELECT"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004906; classtype:web-application-attack; sid:2004906; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id INSERT"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004907; classtype:web-application-attack; sid:2004907; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id DELETE"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004908; classtype:web-application-attack; sid:2004908; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id ASCII"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004909; classtype:web-application-attack; sid:2004909; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE"; flow:established,to_server; uricontent:"/pollmentorres.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004910; classtype:web-application-attack; sid:2004910; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID SELECT"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004911; classtype:web-application-attack; sid:2004911; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UNION SELECT"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004912; classtype:web-application-attack; sid:2004912; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID INSERT"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004913; classtype:web-application-attack; sid:2004913; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID DELETE"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004914; classtype:web-application-attack; sid:2004914; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID ASCII"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004915; classtype:web-application-attack; sid:2004915; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE"; flow:established,to_server; uricontent:"/directions.php?"; nocase; uricontent:"testID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004916; classtype:web-application-attack; sid:2004916; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004917; classtype:web-application-attack; sid:2004917; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004918; classtype:web-application-attack; sid:2004918; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004919; classtype:web-application-attack; sid:2004919; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004920; classtype:web-application-attack; sid:2004920; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004921; classtype:web-application-attack; sid:2004921; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; content:"/listmain.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004923; classtype:web-application-attack; sid:2004923; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid SELECT"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004924; classtype:web-application-attack; sid:2004924; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UNION SELECT"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004925; classtype:web-application-attack; sid:2004925; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid INSERT"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004926; classtype:web-application-attack; sid:2004926; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid DELETE"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004927; classtype:web-application-attack; sid:2004927; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid ASCII"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004928; classtype:web-application-attack; sid:2004928; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE"; flow:established,to_server; uricontent:"/philboard_forum.asp?"; nocase; uricontent:"forumid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004929; classtype:web-application-attack; sid:2004929; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id SELECT"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004930; classtype:web-application-attack; sid:2004930; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UNION SELECT"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004931; classtype:web-application-attack; sid:2004931; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id INSERT"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004932; classtype:web-application-attack; sid:2004932; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id DELETE"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004933; classtype:web-application-attack; sid:2004933; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id ASCII"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004934; classtype:web-application-attack; sid:2004934; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE"; flow:established,to_server; uricontent:"/item.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004935; classtype:web-application-attack; sid:2004935; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004936; classtype:web-application-attack; sid:2004936; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004937; classtype:web-application-attack; sid:2004937; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004938; classtype:web-application-attack; sid:2004938; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004939; classtype:web-application-attack; sid:2004939; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004940; classtype:web-application-attack; sid:2004940; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004941; classtype:web-application-attack; sid:2004941; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004942; classtype:web-application-attack; sid:2004942; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004943; classtype:web-application-attack; sid:2004943; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004945; classtype:web-application-attack; sid:2004945; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004946; classtype:web-application-attack; sid:2004946; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004947; classtype:web-application-attack; sid:2004947; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentmail="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004948; classtype:web-application-attack; sid:2004948; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004949; classtype:web-application-attack; sid:2004949; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004950; classtype:web-application-attack; sid:2004950; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004951; classtype:web-application-attack; sid:2004951; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004952; classtype:web-application-attack; sid:2004952; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004953; classtype:web-application-attack; sid:2004953; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"commentwebsite="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004954; classtype:web-application-attack; sid:2004954; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004955; classtype:web-application-attack; sid:2004955; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UNION SELECT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004956; classtype:web-application-attack; sid:2004956; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment INSERT"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004957; classtype:web-application-attack; sid:2004957; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment DELETE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004958; classtype:web-application-attack; sid:2004958; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment ASCII"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004959; classtype:web-application-attack; sid:2004959; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE"; flow:established,to_server; content:"/pages/addcomment2.php?"; nocase; http_uri; content:"comment="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004960; classtype:web-application-attack; sid:2004960; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004961; classtype:web-application-attack; sid:2004961; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004962; classtype:web-application-attack; sid:2004962; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004963; classtype:web-application-attack; sid:2004963; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004964; classtype:web-application-attack; sid:2004964; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004965; classtype:web-application-attack; sid:2004965; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; content:"/comments.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004966; classtype:web-application-attack; sid:2004966; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004967; classtype:web-application-attack; sid:2004967; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004968; classtype:web-application-attack; sid:2004968; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004969; classtype:web-application-attack; sid:2004969; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004970; classtype:web-application-attack; sid:2004970; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004971; classtype:web-application-attack; sid:2004971; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE"; flow:established,to_server; content:"/register.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004972; classtype:web-application-attack; sid:2004972; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004979; classtype:web-application-attack; sid:2004979; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004980; classtype:web-application-attack; sid:2004980; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004981; classtype:web-application-attack; sid:2004981; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004982; classtype:web-application-attack; sid:2004982; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004983; classtype:web-application-attack; sid:2004983; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"forumid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004984; classtype:web-application-attack; sid:2004984; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004985; classtype:web-application-attack; sid:2004985; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UNION SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004986; classtype:web-application-attack; sid:2004986; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by INSERT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004987; classtype:web-application-attack; sid:2004987; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by DELETE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004988; classtype:web-application-attack; sid:2004988; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by ASCII"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004989; classtype:web-application-attack; sid:2004989; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"by="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004990; classtype:web-application-attack; sid:2004990; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004991; classtype:web-application-attack; sid:2004991; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UNION SELECT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004992; classtype:web-application-attack; sid:2004992; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order INSERT"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004993; classtype:web-application-attack; sid:2004993; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order DELETE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004994; classtype:web-application-attack; sid:2004994; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order ASCII"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004995; classtype:web-application-attack; sid:2004995; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE"; flow:established,to_server; content:"/torrents.php?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004996; classtype:web-application-attack; sid:2004996; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid SELECT"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004997; classtype:web-application-attack; sid:2004997; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UNION SELECT"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004998; classtype:web-application-attack; sid:2004998; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid INSERT"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004999; classtype:web-application-attack; sid:2004999; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid DELETE"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005000; classtype:web-application-attack; sid:2005000; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid ASCII"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005001; classtype:web-application-attack; sid:2005001; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE"; flow:established,to_server; uricontent:"/pms.php?"; nocase; uricontent:"pmid["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005002; classtype:web-application-attack; sid:2005002; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp SELECT"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005003; classtype:web-application-attack; sid:2005003; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UNION SELECT"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005004; classtype:web-application-attack; sid:2005004; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp INSERT"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005005; classtype:web-application-attack; sid:2005005; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp DELETE"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005006; classtype:web-application-attack; sid:2005006; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp ASCII"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005007; classtype:web-application-attack; sid:2005007; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE"; flow:established,to_server; uricontent:"/badword.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005008; classtype:web-application-attack; sid:2005008; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user SELECT"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005009; classtype:web-application-attack; sid:2005009; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UNION SELECT"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005010; classtype:web-application-attack; sid:2005010; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user INSERT"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005011; classtype:web-application-attack; sid:2005011; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user DELETE"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005012; classtype:web-application-attack; sid:2005012; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ASCII"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005013; classtype:web-application-attack; sid:2005013; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE"; flow:established,to_server; content:"/inc/common.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005014; classtype:web-application-attack; sid:2005014; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005015; classtype:web-application-attack; sid:2005015; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UNION SELECT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005016; classtype:web-application-attack; sid:2005016; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id INSERT"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005017; classtype:web-application-attack; sid:2005017; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id DELETE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005018; classtype:web-application-attack; sid:2005018; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ASCII"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005019; classtype:web-application-attack; sid:2005019; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE"; flow:established,to_server; uricontent:"/view.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005020; classtype:web-application-attack; sid:2005020; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005021; classtype:web-application-attack; sid:2005021; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UNION SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005022; classtype:web-application-attack; sid:2005022; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user INSERT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005023; classtype:web-application-attack; sid:2005023; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user DELETE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005024; classtype:web-application-attack; sid:2005024; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user ASCII"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005025; classtype:web-application-attack; sid:2005025; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005026; classtype:web-application-attack; sid:2005026; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005027; classtype:web-application-attack; sid:2005027; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UNION SELECT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005028; classtype:web-application-attack; sid:2005028; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password INSERT"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005029; classtype:web-application-attack; sid:2005029; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password DELETE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005030; classtype:web-application-attack; sid:2005030; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password ASCII"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005031; classtype:web-application-attack; sid:2005031; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE"; flow:established,to_server; uricontent:"/login.asp?"; nocase; uricontent:"password="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005032; classtype:web-application-attack; sid:2005032; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005033; classtype:web-application-attack; sid:2005033; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UNION SELECT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005034; classtype:web-application-attack; sid:2005034; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id INSERT"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005035; classtype:web-application-attack; sid:2005035; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id DELETE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005036; classtype:web-application-attack; sid:2005036; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ASCII"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005037; classtype:web-application-attack; sid:2005037; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE"; flow:established,to_server; uricontent:"/news.php?"; nocase; uricontent:"c_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005038; classtype:web-application-attack; sid:2005038; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005039; classtype:web-application-attack; sid:2005039; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UNION SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005040; classtype:web-application-attack; sid:2005040; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i INSERT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005041; classtype:web-application-attack; sid:2005041; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i DELETE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005042; classtype:web-application-attack; sid:2005042; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i ASCII"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005043; classtype:web-application-attack; sid:2005043; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005044; classtype:web-application-attack; sid:2005044; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005045; classtype:web-application-attack; sid:2005045; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UNION SELECT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005046; classtype:web-application-attack; sid:2005046; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id INSERT"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005047; classtype:web-application-attack; sid:2005047; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id DELETE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005048; classtype:web-application-attack; sid:2005048; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id ASCII"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005049; classtype:web-application-attack; sid:2005049; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE"; flow:established,to_server; content:"/add_comment.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005050; classtype:web-application-attack; sid:2005050; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i SELECT"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005051; classtype:web-application-attack; sid:2005051; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UNION SELECT"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005052; classtype:web-application-attack; sid:2005052; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i INSERT"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005053; classtype:web-application-attack; sid:2005053; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i DELETE"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005054; classtype:web-application-attack; sid:2005054; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i ASCII"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005055; classtype:web-application-attack; sid:2005055; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE"; flow:established,to_server; content:"/list_comments.php?"; nocase; http_uri; content:"i="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005056; classtype:web-application-attack; sid:2005056; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod SELECT"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005057; classtype:web-application-attack; sid:2005057; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UNION SELECT"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005058; classtype:web-application-attack; sid:2005058; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod INSERT"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005059; classtype:web-application-attack; sid:2005059; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod DELETE"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005060; classtype:web-application-attack; sid:2005060; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod ASCII"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005061; classtype:web-application-attack; sid:2005061; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE"; flow:established,to_server; content:"/templates/modif.html?"; nocase; http_uri; content:"id_mod="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005062; classtype:web-application-attack; sid:2005062; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri;content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005063; classtype:web-application-attack; sid:2005063; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005064; classtype:web-application-attack; sid:2005064; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005065; classtype:web-application-attack; sid:2005065; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005066; classtype:web-application-attack; sid:2005066; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005067; classtype:web-application-attack; sid:2005067; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE"; flow:established,to_server; content:"/oku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005068; classtype:web-application-attack; sid:2005068; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005069; classtype:web-application-attack; sid:2005069; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005070; classtype:web-application-attack; sid:2005070; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005071; classtype:web-application-attack; sid:2005071; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005072; classtype:web-application-attack; sid:2005072; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005073; classtype:web-application-attack; sid:2005073; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE"; flow:established,to_server; content:"/i-search.php?"; nocase; http_uri; content:"itemid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005074; classtype:web-application-attack; sid:2005074; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id SELECT"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005075; classtype:web-application-attack; sid:2005075; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UNION SELECT"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005076; classtype:web-application-attack; sid:2005076; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id INSERT"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005077; classtype:web-application-attack; sid:2005077; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id DELETE"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005078; classtype:web-application-attack; sid:2005078; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ASCII"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005079; classtype:web-application-attack; sid:2005079; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE"; flow:established,to_server; content:"/windows.asp?"; nocase; http_uri; content:"kategori_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005080; classtype:web-application-attack; sid:2005080; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id SELECT"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005081; classtype:web-application-attack; sid:2005081; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UNION SELECT"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005082; classtype:web-application-attack; sid:2005082; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id INSERT"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005083; classtype:web-application-attack; sid:2005083; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id DELETE"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005084; classtype:web-application-attack; sid:2005084; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id ASCII"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005085; classtype:web-application-attack; sid:2005085; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE"; flow:established,to_server; content:"/faq.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005086; classtype:web-application-attack; sid:2005086; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005087; classtype:web-application-attack; sid:2005087; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005088; classtype:web-application-attack; sid:2005088; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005089; classtype:web-application-attack; sid:2005089; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005090; classtype:web-application-attack; sid:2005090; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005091; classtype:web-application-attack; sid:2005091; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005092; classtype:web-application-attack; sid:2005092; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005093; classtype:web-application-attack; sid:2005093; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UNION SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005094; classtype:web-application-attack; sid:2005094; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id INSERT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005095; classtype:web-application-attack; sid:2005095; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id DELETE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005096; classtype:web-application-attack; sid:2005096; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ASCII"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005097; classtype:web-application-attack; sid:2005097; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005098; classtype:web-application-attack; sid:2005098; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005099; classtype:web-application-attack; sid:2005099; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005100; classtype:web-application-attack; sid:2005100; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass INSERT"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005101; classtype:web-application-attack; sid:2005101; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass DELETE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005102; classtype:web-application-attack; sid:2005102; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ASCII"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005103; classtype:web-application-attack; sid:2005103; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE"; flow:established,to_server; uricontent:"/user_confirm.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005104; classtype:web-application-attack; sid:2005104; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username SELECT"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005105; classtype:web-application-attack; sid:2005105; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UNION SELECT"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005106; classtype:web-application-attack; sid:2005106; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username INSERT"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005107; classtype:web-application-attack; sid:2005107; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username DELETE"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005108; classtype:web-application-attack; sid:2005108; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ASCII"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005109; classtype:web-application-attack; sid:2005109; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE"; flow:established,to_server; content:"/artreplydelete.asp?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005110; classtype:web-application-attack; sid:2005110; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005111; classtype:web-application-attack; sid:2005111; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005112; classtype:web-application-attack; sid:2005112; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005113; classtype:web-application-attack; sid:2005113; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005114; classtype:web-application-attack; sid:2005114; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005115; classtype:web-application-attack; sid:2005115; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005116; classtype:web-application-attack; sid:2005116; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005117; classtype:web-application-attack; sid:2005117; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UNION SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005118; classtype:web-application-attack; sid:2005118; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id INSERT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005119; classtype:web-application-attack; sid:2005119; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id DELETE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005120; classtype:web-application-attack; sid:2005120; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id ASCII"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005121; classtype:web-application-attack; sid:2005121; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005122; classtype:web-application-attack; sid:2005122; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005123; classtype:web-application-attack; sid:2005123; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UNION SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005124; classtype:web-application-attack; sid:2005124; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from INSERT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005125; classtype:web-application-attack; sid:2005125; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from DELETE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005126; classtype:web-application-attack; sid:2005126; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from ASCII"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005127; classtype:web-application-attack; sid:2005127; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"from="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005128; classtype:web-application-attack; sid:2005128; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005129; classtype:web-application-attack; sid:2005129; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UNION SELECT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005130; classtype:web-application-attack; sid:2005130; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q INSERT"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005131; classtype:web-application-attack; sid:2005131; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q DELETE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005132; classtype:web-application-attack; sid:2005132; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q ASCII"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005133; classtype:web-application-attack; sid:2005133; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE"; flow:established,to_server; uricontent:"/classes/class.news.php?"; nocase; uricontent:"q="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005134; classtype:web-application-attack; sid:2005134; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005135; classtype:web-application-attack; sid:2005135; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005136; classtype:web-application-attack; sid:2005136; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005137; classtype:web-application-attack; sid:2005137; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005138; classtype:web-application-attack; sid:2005138; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005139; classtype:web-application-attack; sid:2005139; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005140; classtype:web-application-attack; sid:2005140; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005141; classtype:web-application-attack; sid:2005141; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005142; classtype:web-application-attack; sid:2005142; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005143; classtype:web-application-attack; sid:2005143; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005144; classtype:web-application-attack; sid:2005144; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005145; classtype:web-application-attack; sid:2005145; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE"; flow:established,to_server; content:"/news_page.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005146; classtype:web-application-attack; sid:2005146; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UNION SELECT"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005147; classtype:web-application-attack; sid:2005147; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user INSERT"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005148; classtype:web-application-attack; sid:2005148; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user DELETE"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005149; classtype:web-application-attack; sid:2005149; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user ASCII"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005150; classtype:web-application-attack; sid:2005150; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005151; classtype:web-application-attack; sid:2005151; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005152; classtype:web-application-attack; sid:2005152; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005153; classtype:web-application-attack; sid:2005153; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005154; classtype:web-application-attack; sid:2005154; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005155; classtype:web-application-attack; sid:2005155; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005156; classtype:web-application-attack; sid:2005156; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE"; flow:established,to_server; uricontent:"/rss/show_webfeed.php?"; nocase; uricontent:"wcHeadlines="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005157; classtype:web-application-attack; sid:2005157; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005158; classtype:web-application-attack; sid:2005158; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005159; classtype:web-application-attack; sid:2005159; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005160; classtype:web-application-attack; sid:2005160; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005161; classtype:web-application-attack; sid:2005161; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005162; classtype:web-application-attack; sid:2005162; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE"; flow:established,to_server; uricontent:"/xNews.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005163; classtype:web-application-attack; sid:2005163; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id SELECT"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005164; classtype:web-application-attack; sid:2005164; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UNION SELECT"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005165; classtype:web-application-attack; sid:2005165; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id INSERT"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005166; classtype:web-application-attack; sid:2005166; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id DELETE"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005167; classtype:web-application-attack; sid:2005167; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id ASCII"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005168; classtype:web-application-attack; sid:2005168; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE"; flow:established,to_server; content:"/news_detail.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005169; classtype:web-application-attack; sid:2005169; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user SELECT"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005170; classtype:web-application-attack; sid:2005170; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UNION SELECT"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005171; classtype:web-application-attack; sid:2005171; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user INSERT"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005172; classtype:web-application-attack; sid:2005172; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user DELETE"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005173; classtype:web-application-attack; sid:2005173; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user ASCII"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005174; classtype:web-application-attack; sid:2005174; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE"; flow:established,to_server; content:"/user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005175; classtype:web-application-attack; sid:2005175; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user SELECT"; flow:established,to_server; content:"/info_user.asp?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005176; classtype:web-application-attack; sid:2005176; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT"; flow:established,to_server; content:"/topic_title.php?"; nocase; http_uri; content:"td_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2005177; classtype:web-application-attack; sid:2005177; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id SELECT"; flow:established,to_server; content:"/haberoku.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2005179; classtype:web-application-attack; sid:2005179; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php INSERT"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005180; classtype:web-application-attack; sid:2005180; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE"; flow:established,to_server; uricontent:"/admin.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005181; classtype:web-application-attack; sid:2005181; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UNION SELECT"; flow:established,to_server; uricontent:"/ViewBugs.php?"; nocase; uricontent:"s="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2005185; classtype:web-application-attack; sid:2005185; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; uricontent:"/user_pages/page.asp?"; nocase; uricontent:"art_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2005186; classtype:web-application-attack; sid:2005186; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UNION SELECT"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005187; classtype:web-application-attack; sid:2005187; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay INSERT"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005188; classtype:web-application-attack; sid:2005188; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay DELETE"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005189; classtype:web-application-attack; sid:2005189; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ASCII"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005190; classtype:web-application-attack; sid:2005190; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005191; classtype:web-application-attack; sid:2005191; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005192; classtype:web-application-attack; sid:2005192; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UNION SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005193; classtype:web-application-attack; sid:2005193; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id INSERT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005194; classtype:web-application-attack; sid:2005194; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id DELETE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005195; classtype:web-application-attack; sid:2005195; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ASCII"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005196; classtype:web-application-attack; sid:2005196; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005197; classtype:web-application-attack; sid:2005197; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005198; classtype:web-application-attack; sid:2005198; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005199; classtype:web-application-attack; sid:2005199; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass INSERT"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005200; classtype:web-application-attack; sid:2005200; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass DELETE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005201; classtype:web-application-attack; sid:2005201; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ASCII"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005202; classtype:web-application-attack; sid:2005202; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE"; flow:established,to_server; uricontent:"/mezungiris.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005203; classtype:web-application-attack; sid:2005203; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005204; classtype:web-application-attack; sid:2005204; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005205; classtype:web-application-attack; sid:2005205; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass INSERT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005206; classtype:web-application-attack; sid:2005206; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass DELETE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005207; classtype:web-application-attack; sid:2005207; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ASCII"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005208; classtype:web-application-attack; sid:2005208; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005209; classtype:web-application-attack; sid:2005209; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005210; classtype:web-application-attack; sid:2005210; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UNION SELECT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005211; classtype:web-application-attack; sid:2005211; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id INSERT"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005212; classtype:web-application-attack; sid:2005212; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id DELETE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005213; classtype:web-application-attack; sid:2005213; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ASCII"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005214; classtype:web-application-attack; sid:2005214; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE"; flow:established,to_server; uricontent:"/ogretmenkontrol.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005215; classtype:web-application-attack; sid:2005215; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month SELECT"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005216; classtype:web-application-attack; sid:2005216; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UNION SELECT"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005217; classtype:web-application-attack; sid:2005217; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month INSERT"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005218; classtype:web-application-attack; sid:2005218; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month DELETE"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005219; classtype:web-application-attack; sid:2005219; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month ASCII"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005220; classtype:web-application-attack; sid:2005220; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE"; flow:established,to_server; uricontent:"/archives.php?"; nocase; uricontent:"month="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005221; classtype:web-application-attack; sid:2005221; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id SELECT"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005222; classtype:web-application-attack; sid:2005222; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UNION SELECT"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005223; classtype:web-application-attack; sid:2005223; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id INSERT"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005224; classtype:web-application-attack; sid:2005224; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id DELETE"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005225; classtype:web-application-attack; sid:2005225; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005226; classtype:web-application-attack; sid:2005226; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID SELECT"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005227; classtype:web-application-attack; sid:2005227; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UNION SELECT"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005228; classtype:web-application-attack; sid:2005228; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID INSERT"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005229; classtype:web-application-attack; sid:2005229; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID DELETE"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005230; classtype:web-application-attack; sid:2005230; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ASCII"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005231; classtype:web-application-attack; sid:2005231; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE"; flow:established,to_server; uricontent:"/eWebQuiz.asp?"; nocase; uricontent:"QuizID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005232; classtype:web-application-attack; sid:2005232; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid SELECT"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005233; classtype:web-application-attack; sid:2005233; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UNION SELECT"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005234; classtype:web-application-attack; sid:2005234; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid INSERT"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005235; classtype:web-application-attack; sid:2005235; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid DELETE"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005236; classtype:web-application-attack; sid:2005236; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ASCII"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005237; classtype:web-application-attack; sid:2005237; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE"; flow:established,to_server; uricontent:"/banner.php?"; nocase; uricontent:"bid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005238; classtype:web-application-attack; sid:2005238; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005239; classtype:web-application-attack; sid:2005239; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005240; classtype:web-application-attack; sid:2005240; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005241; classtype:web-application-attack; sid:2005241; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005242; classtype:web-application-attack; sid:2005242; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005243; classtype:web-application-attack; sid:2005243; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"picID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005244; classtype:web-application-attack; sid:2005244; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005245; classtype:web-application-attack; sid:2005245; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005246; classtype:web-application-attack; sid:2005246; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005247; classtype:web-application-attack; sid:2005247; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005248; classtype:web-application-attack; sid:2005248; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005249; classtype:web-application-attack; sid:2005249; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005250; classtype:web-application-attack; sid:2005250; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005251; classtype:web-application-attack; sid:2005251; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005252; classtype:web-application-attack; sid:2005252; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005253; classtype:web-application-attack; sid:2005253; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005254; classtype:web-application-attack; sid:2005254; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005255; classtype:web-application-attack; sid:2005255; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat SELECT"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005256; classtype:web-application-attack; sid:2005256; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UNION SELECT"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005257; classtype:web-application-attack; sid:2005257; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat INSERT"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005258; classtype:web-application-attack; sid:2005258; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat DELETE"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005259; classtype:web-application-attack; sid:2005259; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat ASCII"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005260; classtype:web-application-attack; sid:2005260; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE"; flow:established,to_server; content:"/show_owned.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005261; classtype:web-application-attack; sid:2005261; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat SELECT"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005262; classtype:web-application-attack; sid:2005262; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UNION SELECT"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005263; classtype:web-application-attack; sid:2005263; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat INSERT"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005264; classtype:web-application-attack; sid:2005264; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat DELETE"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005265; classtype:web-application-attack; sid:2005265; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat ASCII"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005266; classtype:web-application-attack; sid:2005266; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE"; flow:established,to_server; content:"/show_joined.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005267; classtype:web-application-attack; sid:2005267; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005268; classtype:web-application-attack; sid:2005268; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UNION SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005269; classtype:web-application-attack; sid:2005269; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword INSERT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005270; classtype:web-application-attack; sid:2005270; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword DELETE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005271; classtype:web-application-attack; sid:2005271; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ASCII"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005272; classtype:web-application-attack; sid:2005272; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005273; classtype:web-application-attack; sid:2005273; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005274; classtype:web-application-attack; sid:2005274; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UNION SELECT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005275; classtype:web-application-attack; sid:2005275; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row INSERT"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005276; classtype:web-application-attack; sid:2005276; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row DELETE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005277; classtype:web-application-attack; sid:2005277; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ASCII"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005278; classtype:web-application-attack; sid:2005278; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE"; flow:established,to_server; content:"/admin/memberlist.php?"; nocase; http_uri; content:"init_row="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005279; classtype:web-application-attack; sid:2005279; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005280; classtype:web-application-attack; sid:2005280; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005281; classtype:web-application-attack; sid:2005281; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005282; classtype:web-application-attack; sid:2005282; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005283; classtype:web-application-attack; sid:2005283; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005284; classtype:web-application-attack; sid:2005284; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"boardids["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005285; classtype:web-application-attack; sid:2005285; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005286; classtype:web-application-attack; sid:2005286; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005287; classtype:web-application-attack; sid:2005287; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005288; classtype:web-application-attack; sid:2005288; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005289; classtype:web-application-attack; sid:2005289; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005290; classtype:web-application-attack; sid:2005290; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"board["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005291; classtype:web-application-attack; sid:2005291; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005292; classtype:web-application-attack; sid:2005292; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005293; classtype:web-application-attack; sid:2005293; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005294; classtype:web-application-attack; sid:2005294; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005295; classtype:web-application-attack; sid:2005295; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005296; classtype:web-application-attack; sid:2005296; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE"; flow:established,to_server; content:"/models/category.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005297; classtype:web-application-attack; sid:2005297; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005298; classtype:web-application-attack; sid:2005298; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005299; classtype:web-application-attack; sid:2005299; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005300; classtype:web-application-attack; sid:2005300; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005301; classtype:web-application-attack; sid:2005301; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005302; classtype:web-application-attack; sid:2005302; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE"; flow:established,to_server; content:"/letterman.class.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005303; classtype:web-application-attack; sid:2005303; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft SELECT"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005304; classtype:web-application-attack; sid:2005304; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UNION SELECT"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005305; classtype:web-application-attack; sid:2005305; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft INSERT"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005306; classtype:web-application-attack; sid:2005306; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft DELETE"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005307; classtype:web-application-attack; sid:2005307; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ASCII"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005308; classtype:web-application-attack; sid:2005308; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE"; flow:established,to_server; content:"/mailer.w2b?"; http_uri; nocase; content:"draft="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005309; classtype:web-application-attack; sid:2005309; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay SELECT"; flow:established,to_server; content:"/DocPay.w2b?"; http_uri; nocase; content:"listDocPay="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005310; classtype:web-application-attack; sid:2005310; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ASCII"; flow:established,to_server; content:"/print.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005311; classtype:web-application-attack; sid:2005311; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT"; flow:established,to_server; uricontent:"/gallery.php?"; nocase; uricontent:"galleryID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005312; classtype:web-application-attack; sid:2005312; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; content:"User-Agent|3a| fetcher|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2005318; classtype:trojan-activity; sid:2005318; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:trojan-activity; sid:2005319; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MyAgent)"; flow:to_server,established; content:"User-Agent|3a| MyAgent"; nocase; http_header; content:!"Host|3a 20|driverdl.lenovo.com.cn|0d 0a|"; http_header; content:!"www.google-analytics.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; content:"User-Agent|3a| NavHelper"; nocase; http_header; reference:url,doc.emergingthreats.net/2005321; classtype:trojan-activity; sid:2005321; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"User-Agent|3a| SpyLocked"; nocase; http_header; classtype:trojan-activity; sid:2005322; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php SELECT"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005324; classtype:web-application-attack; sid:2005324; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UNION SELECT"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005325; classtype:web-application-attack; sid:2005325; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php INSERT"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005326; classtype:web-application-attack; sid:2005326; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php DELETE"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005327; classtype:web-application-attack; sid:2005327; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php ASCII"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005328; classtype:web-application-attack; sid:2005328; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE"; flow:established,to_server; uricontent:"/bb-includes/formatting-functions.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005329; classtype:web-application-attack; sid:2005329; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic SELECT"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005330; classtype:web-application-attack; sid:2005330; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UNION SELECT"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005331; classtype:web-application-attack; sid:2005331; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic INSERT"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005332; classtype:web-application-attack; sid:2005332; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic DELETE"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005333; classtype:web-application-attack; sid:2005333; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic ASCII"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005334; classtype:web-application-attack; sid:2005334; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE"; flow:established,to_server; content:"/low.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005335; classtype:web-application-attack; sid:2005335; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template SELECT"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005336; classtype:web-application-attack; sid:2005336; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UNION SELECT"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005337; classtype:web-application-attack; sid:2005337; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template INSERT"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005338; classtype:web-application-attack; sid:2005338; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template DELETE"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005339; classtype:web-application-attack; sid:2005339; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template ASCII"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005340; classtype:web-application-attack; sid:2005340; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE"; flow:established,to_server; content:"/style.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005341; classtype:web-application-attack; sid:2005341; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005342; classtype:web-application-attack; sid:2005342; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005343; classtype:web-application-attack; sid:2005343; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005344; classtype:web-application-attack; sid:2005344; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005345; classtype:web-application-attack; sid:2005345; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005346; classtype:web-application-attack; sid:2005346; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005347; classtype:web-application-attack; sid:2005347; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005348; classtype:web-application-attack; sid:2005348; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UNION SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005349; classtype:web-application-attack; sid:2005349; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php INSERT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005350; classtype:web-application-attack; sid:2005350; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php DELETE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005351; classtype:web-application-attack; sid:2005351; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php ASCII"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005352; classtype:web-application-attack; sid:2005352; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005353; classtype:web-application-attack; sid:2005353; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005354; classtype:web-application-attack; sid:2005354; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UNION SELECT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005355; classtype:web-application-attack; sid:2005355; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid INSERT"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005356; classtype:web-application-attack; sid:2005356; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid DELETE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005357; classtype:web-application-attack; sid:2005357; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ASCII"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005358; classtype:web-application-attack; sid:2005358; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE"; flow:established,to_server; uricontent:"/vBSupport.php?"; nocase; uricontent:"ticketid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005359; classtype:web-application-attack; sid:2005359; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005360; classtype:web-application-attack; sid:2005360; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005361; classtype:web-application-attack; sid:2005361; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005362; classtype:web-application-attack; sid:2005362; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005363; classtype:web-application-attack; sid:2005363; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005364; classtype:web-application-attack; sid:2005364; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005365; classtype:web-application-attack; sid:2005365; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005372; classtype:web-application-attack; sid:2005372; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005373; classtype:web-application-attack; sid:2005373; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005374; classtype:web-application-attack; sid:2005374; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005375; classtype:web-application-attack; sid:2005375; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005376; classtype:web-application-attack; sid:2005376; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005377; classtype:web-application-attack; sid:2005377; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id SELECT"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005378; classtype:web-application-attack; sid:2005378; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UNION SELECT"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005379; classtype:web-application-attack; sid:2005379; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id INSERT"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005380; classtype:web-application-attack; sid:2005380; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id DELETE"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005381; classtype:web-application-attack; sid:2005381; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id ASCII"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005382; classtype:web-application-attack; sid:2005382; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE"; flow:established,to_server; uricontent:"/kernel/group.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005383; classtype:web-application-attack; sid:2005383; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid SELECT"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005384; classtype:web-application-attack; sid:2005384; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UNION SELECT"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005385; classtype:web-application-attack; sid:2005385; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid INSERT"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005386; classtype:web-application-attack; sid:2005386; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid DELETE"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005387; classtype:web-application-attack; sid:2005387; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid ASCII"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005388; classtype:web-application-attack; sid:2005388; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE"; flow:established,to_server; uricontent:"/class/table_broken.php?"; nocase; uricontent:"lid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005389; classtype:web-application-attack; sid:2005389; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005390; classtype:web-application-attack; sid:2005390; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005391; classtype:web-application-attack; sid:2005391; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005392; classtype:web-application-attack; sid:2005392; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005394; classtype:web-application-attack; sid:2005394; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005395; classtype:web-application-attack; sid:2005395; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005396; classtype:web-application-attack; sid:2005396; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005397; classtype:web-application-attack; sid:2005397; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005398; classtype:web-application-attack; sid:2005398; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005399; classtype:web-application-attack; sid:2005399; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005400; classtype:web-application-attack; sid:2005400; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE"; flow:established,to_server; content:"/gmail.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005401; classtype:web-application-attack; sid:2005401; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005402; classtype:web-application-attack; sid:2005402; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005403; classtype:web-application-attack; sid:2005403; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005404; classtype:web-application-attack; sid:2005404; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005405; classtype:web-application-attack; sid:2005405; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005406; classtype:web-application-attack; sid:2005406; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; content:"/example.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005407; classtype:web-application-attack; sid:2005407; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005408; classtype:web-application-attack; sid:2005408; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005409; classtype:web-application-attack; sid:2005409; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005410; classtype:web-application-attack; sid:2005410; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005411; classtype:web-application-attack; sid:2005411; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005412; classtype:web-application-attack; sid:2005412; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE"; flow:established,to_server; content:"/plugins/authentication/ldap.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005413; classtype:web-application-attack; sid:2005413; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005414; classtype:web-application-attack; sid:2005414; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005415; classtype:web-application-attack; sid:2005415; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005416; classtype:web-application-attack; sid:2005416; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005417; classtype:web-application-attack; sid:2005417; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005418; classtype:web-application-attack; sid:2005418; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE"; flow:established,to_server; content:"/modules/mod_mainmenu/menu.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005419; classtype:web-application-attack; sid:2005419; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005420; classtype:web-application-attack; sid:2005420; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005421; classtype:web-application-attack; sid:2005421; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005422; classtype:web-application-attack; sid:2005422; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005423; classtype:web-application-attack; sid:2005423; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005424; classtype:web-application-attack; sid:2005424; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE"; flow:established,to_server; content:"/plugins/search/content.php?"; nocase; http_uri;content:"where="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005425; classtype:web-application-attack; sid:2005425; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005426; classtype:web-application-attack; sid:2005426; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005427; classtype:web-application-attack; sid:2005427; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005428; classtype:web-application-attack; sid:2005428; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005429; classtype:web-application-attack; sid:2005429; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005430; classtype:web-application-attack; sid:2005430; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE"; flow:established,to_server; content:"/plugins/search/weblinks.php?"; nocase; http_uri; content:"where="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005431; classtype:web-application-attack; sid:2005431; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005432; classtype:web-application-attack; sid:2005432; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005433; classtype:web-application-attack; sid:2005433; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005434; classtype:web-application-attack; sid:2005434; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005435; classtype:web-application-attack; sid:2005435; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005436; classtype:web-application-attack; sid:2005436; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE"; flow:established,to_server; content:"/plugins/search/contacts.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005437; classtype:web-application-attack; sid:2005437; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005438; classtype:web-application-attack; sid:2005438; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005439; classtype:web-application-attack; sid:2005439; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005440; classtype:web-application-attack; sid:2005440; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005441; classtype:web-application-attack; sid:2005441; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005442; classtype:web-application-attack; sid:2005442; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE"; flow:established,to_server; content:"/plugins/search/categories.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005443; classtype:web-application-attack; sid:2005443; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005444; classtype:web-application-attack; sid:2005444; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005445; classtype:web-application-attack; sid:2005445; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005446; classtype:web-application-attack; sid:2005446; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005447; classtype:web-application-attack; sid:2005447; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005448; classtype:web-application-attack; sid:2005448; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE"; flow:established,to_server; content:"/plugins/search/sections.php?"; nocase; http_uri; content:"text="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005449; classtype:web-application-attack; sid:2005449; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005450; classtype:web-application-attack; sid:2005450; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005451; classtype:web-application-attack; sid:2005451; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005452; classtype:web-application-attack; sid:2005452; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005453; classtype:web-application-attack; sid:2005453; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005454; classtype:web-application-attack; sid:2005454; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE"; flow:established,to_server; content:"/database/table/user.php?"; nocase; http_uri; content:"email="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005455; classtype:web-application-attack; sid:2005455; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active SELECT"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005456; classtype:web-application-attack; sid:2005456; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UNION SELECT"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005457; classtype:web-application-attack; sid:2005457; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active INSERT"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005458; classtype:web-application-attack; sid:2005458; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active DELETE"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005459; classtype:web-application-attack; sid:2005459; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ASCII"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005460; classtype:web-application-attack; sid:2005460; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE"; flow:established,to_server; uricontent:"/admin/modules/modules.php?"; nocase; uricontent:"active="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005461; classtype:web-application-attack; sid:2005461; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005462; classtype:web-application-attack; sid:2005462; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005463; classtype:web-application-attack; sid:2005463; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005464; classtype:web-application-attack; sid:2005464; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005465; classtype:web-application-attack; sid:2005465; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005466; classtype:web-application-attack; sid:2005466; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_class="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005467; classtype:web-application-attack; sid:2005467; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005468; classtype:web-application-attack; sid:2005468; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005469; classtype:web-application-attack; sid:2005469; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005470; classtype:web-application-attack; sid:2005470; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005471; classtype:web-application-attack; sid:2005471; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005472; classtype:web-application-attack; sid:2005472; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"imageurl="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005473; classtype:web-application-attack; sid:2005473; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005474; classtype:web-application-attack; sid:2005474; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005475; classtype:web-application-attack; sid:2005475; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005476; classtype:web-application-attack; sid:2005476; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005477; classtype:web-application-attack; sid:2005477; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"clickurl="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005479; classtype:web-application-attack; sid:2005479; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005480; classtype:web-application-attack; sid:2005480; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005481; classtype:web-application-attack; sid:2005481; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005482; classtype:web-application-attack; sid:2005482; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005483; classtype:web-application-attack; sid:2005483; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005484; classtype:web-application-attack; sid:2005484; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"ad_code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005485; classtype:web-application-attack; sid:2005485; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005486; classtype:web-application-attack; sid:2005486; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UNION SELECT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005487; classtype:web-application-attack; sid:2005487; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position INSERT"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005489; classtype:web-application-attack; sid:2005489; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position DELETE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005490; classtype:web-application-attack; sid:2005490; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ASCII"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005491; classtype:web-application-attack; sid:2005491; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE"; flow:established,to_server; uricontent:"/modules/Advertising/admin/index.php?"; nocase; uricontent:"position="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005492; classtype:web-application-attack; sid:2005492; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005493; classtype:web-application-attack; sid:2005493; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UNION SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005494; classtype:web-application-attack; sid:2005494; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid INSERT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005495; classtype:web-application-attack; sid:2005495; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid DELETE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005496; classtype:web-application-attack; sid:2005496; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ASCII"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005497; classtype:web-application-attack; sid:2005497; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"Itemid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005498; classtype:web-application-attack; sid:2005498; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005499; classtype:web-application-attack; sid:2005499; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UNION SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005500; classtype:web-application-attack; sid:2005500; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id INSERT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005501; classtype:web-application-attack; sid:2005501; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id DELETE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005502; classtype:web-application-attack; sid:2005502; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ASCII"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005503; classtype:web-application-attack; sid:2005503; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"product_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005504; classtype:web-application-attack; sid:2005504; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005505; classtype:web-application-attack; sid:2005505; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UNION SELECT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005506; classtype:web-application-attack; sid:2005506; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id INSERT"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005507; classtype:web-application-attack; sid:2005507; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id DELETE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005508; classtype:web-application-attack; sid:2005508; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ASCII"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005509; classtype:web-application-attack; sid:2005509; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE"; flow:established,to_server; uricontent:"/virtuemart_parser.php?"; nocase; uricontent:"category_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005510; classtype:web-application-attack; sid:2005510; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005511; classtype:web-application-attack; sid:2005511; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005512; classtype:web-application-attack; sid:2005512; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005514; classtype:web-application-attack; sid:2005514; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005515; classtype:web-application-attack; sid:2005515; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005516; classtype:web-application-attack; sid:2005516; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005517; classtype:web-application-attack; sid:2005517; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005518; classtype:web-application-attack; sid:2005518; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005519; classtype:web-application-attack; sid:2005519; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005520; classtype:web-application-attack; sid:2005520; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005521; classtype:web-application-attack; sid:2005521; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005522; classtype:web-application-attack; sid:2005522; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005523; classtype:web-application-attack; sid:2005523; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005524; classtype:web-application-attack; sid:2005524; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005525; classtype:web-application-attack; sid:2005525; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005527; classtype:web-application-attack; sid:2005527; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005528; classtype:web-application-attack; sid:2005528; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005529; classtype:web-application-attack; sid:2005529; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005530; classtype:web-application-attack; sid:2005530; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005531; classtype:web-application-attack; sid:2005531; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005532; classtype:web-application-attack; sid:2005532; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005533; classtype:web-application-attack; sid:2005533; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005535; classtype:web-application-attack; sid:2005535; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005536; classtype:web-application-attack; sid:2005536; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005537; classtype:web-application-attack; sid:2005537; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005538; classtype:web-application-attack; sid:2005538; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005539; classtype:web-application-attack; sid:2005539; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005540; classtype:web-application-attack; sid:2005540; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005541; classtype:web-application-attack; sid:2005541; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005542; classtype:web-application-attack; sid:2005542; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005543; classtype:web-application-attack; sid:2005543; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005544; classtype:web-application-attack; sid:2005544; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005545; classtype:web-application-attack; sid:2005545; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005546; classtype:web-application-attack; sid:2005546; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"code="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005547; classtype:web-application-attack; sid:2005547; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005548; classtype:web-application-attack; sid:2005548; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005549; classtype:web-application-attack; sid:2005549; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005550; classtype:web-application-attack; sid:2005550; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005551; classtype:web-application-attack; sid:2005551; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005552; classtype:web-application-attack; sid:2005552; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"f="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005553; classtype:web-application-attack; sid:2005553; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005554; classtype:web-application-attack; sid:2005554; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005555; classtype:web-application-attack; sid:2005555; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005556; classtype:web-application-attack; sid:2005556; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005557; classtype:web-application-attack; sid:2005557; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005558; classtype:web-application-attack; sid:2005558; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"us="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005559; classtype:web-application-attack; sid:2005559; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005560; classtype:web-application-attack; sid:2005560; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UNION SELECT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005561; classtype:web-application-attack; sid:2005561; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps INSERT"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005562; classtype:web-application-attack; sid:2005562; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps DELETE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005563; classtype:web-application-attack; sid:2005563; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps ASCII"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005564; classtype:web-application-attack; sid:2005564; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE"; flow:established,to_server; uricontent:"/dl.php?"; nocase; uricontent:"ps="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005566; classtype:web-application-attack; sid:2005566; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005567; classtype:web-application-attack; sid:2005567; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005568; classtype:web-application-attack; sid:2005568; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005569; classtype:web-application-attack; sid:2005569; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; fast_pattern; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005571; classtype:web-application-attack; sid:2005571; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005572; classtype:web-application-attack; sid:2005572; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name SELECT"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005573; classtype:web-application-attack; sid:2005573; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UNION SELECT"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005574; classtype:web-application-attack; sid:2005574; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name INSERT"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005575; classtype:web-application-attack; sid:2005575; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name DELETE"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005576; classtype:web-application-attack; sid:2005576; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ASCII"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005577; classtype:web-application-attack; sid:2005577; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; content:"xuser_name="; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005578; classtype:web-application-attack; sid:2005578; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did SELECT"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005579; classtype:web-application-attack; sid:2005579; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UNION SELECT"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005580; classtype:web-application-attack; sid:2005580; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did INSERT"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005581; classtype:web-application-attack; sid:2005581; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did DELETE"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005582; classtype:web-application-attack; sid:2005582; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ASCII"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005583; classtype:web-application-attack; sid:2005583; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE"; flow:established,to_server; content:"/public/code/cp_downloads.php?"; nocase; http_uri; content:"did="; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005584; classtype:web-application-attack; sid:2005584; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat SELECT"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005585; classtype:web-application-attack; sid:2005585; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UNION SELECT"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005586; classtype:web-application-attack; sid:2005586; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat INSERT"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005587; classtype:web-application-attack; sid:2005587; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat DELETE"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005588; classtype:web-application-attack; sid:2005588; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ASCII"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005589; classtype:web-application-attack; sid:2005589; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE"; flow:established,to_server; uricontent:"/blocks/block-Old_Articles.php?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005590; classtype:web-application-attack; sid:2005590; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id SELECT"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005591; classtype:web-application-attack; sid:2005591; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UNION SELECT"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005592; classtype:web-application-attack; sid:2005592; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id INSERT"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005593; classtype:web-application-attack; sid:2005593; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id DELETE"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005594; classtype:web-application-attack; sid:2005594; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ASCII"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005595; classtype:web-application-attack; sid:2005595; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE"; flow:established,to_server; content:"/visu_user.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005596; classtype:web-application-attack; sid:2005596; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id SELECT"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005597; classtype:web-application-attack; sid:2005597; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UNION SELECT"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005598; classtype:web-application-attack; sid:2005598; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id INSERT"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005599; classtype:web-application-attack; sid:2005599; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id DELETE"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005600; classtype:web-application-attack; sid:2005600; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ASCII"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005601; classtype:web-application-attack; sid:2005601; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE"; flow:established,to_server; uricontent:"/etkinlikbak.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005602; classtype:web-application-attack; sid:2005602; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005603; classtype:web-application-attack; sid:2005603; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005604; classtype:web-application-attack; sid:2005604; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005605; classtype:web-application-attack; sid:2005605; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005606; classtype:web-application-attack; sid:2005606; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005607; classtype:web-application-attack; sid:2005607; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE"; flow:established,to_server; content:"/duyuru.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005608; classtype:web-application-attack; sid:2005608; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder SELECT"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005609; classtype:web-application-attack; sid:2005609; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UNION SELECT"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005610; classtype:web-application-attack; sid:2005610; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder INSERT"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005611; classtype:web-application-attack; sid:2005611; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder DELETE"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005612; classtype:web-application-attack; sid:2005612; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ASCII"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005613; classtype:web-application-attack; sid:2005613; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE"; flow:established,to_server; uricontent:"/displaypic.asp?"; nocase; uricontent:"sortorder="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005614; classtype:web-application-attack; sid:2005614; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005615; classtype:web-application-attack; sid:2005615; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005616; classtype:web-application-attack; sid:2005616; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005617; classtype:web-application-attack; sid:2005617; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005618; classtype:web-application-attack; sid:2005618; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005619; classtype:web-application-attack; sid:2005619; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE"; flow:established,to_server; content:"/boxx/ShowAppendix.asp?"; nocase; http_uri; content:"iid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005620; classtype:web-application-attack; sid:2005620; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005621; classtype:web-application-attack; sid:2005621; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UNION SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005622; classtype:web-application-attack; sid:2005622; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid INSERT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005623; classtype:web-application-attack; sid:2005623; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid DELETE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005624; classtype:web-application-attack; sid:2005624; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid ASCII"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005625; classtype:web-application-attack; sid:2005625; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005626; classtype:web-application-attack; sid:2005626; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005627; classtype:web-application-attack; sid:2005627; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UNION SELECT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005628; classtype:web-application-attack; sid:2005628; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid INSERT"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005629; classtype:web-application-attack; sid:2005629; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid DELETE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005630; classtype:web-application-attack; sid:2005630; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid ASCII"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005631; classtype:web-application-attack; sid:2005631; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE"; flow:established,to_server; uricontent:"/simplog/archive.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005632; classtype:web-application-attack; sid:2005632; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid SELECT"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005633; classtype:web-application-attack; sid:2005633; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UNION SELECT"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005634; classtype:web-application-attack; sid:2005634; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid INSERT"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005635; classtype:web-application-attack; sid:2005635; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid DELETE"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005636; classtype:web-application-attack; sid:2005636; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid ASCII"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005637; classtype:web-application-attack; sid:2005637; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE"; flow:established,to_server; uricontent:"/simplog/index.php?"; nocase; uricontent:"blogid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005638; classtype:web-application-attack; sid:2005638; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id SELECT"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005639; classtype:web-application-attack; sid:2005639; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UNION SELECT"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005640; classtype:web-application-attack; sid:2005640; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id INSERT"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005641; classtype:web-application-attack; sid:2005641; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id DELETE"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005642; classtype:web-application-attack; sid:2005642; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ASCII"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005643; classtype:web-application-attack; sid:2005643; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE"; flow:established,to_server; content:"/dispimage.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005644; classtype:web-application-attack; sid:2005644; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005645; classtype:web-application-attack; sid:2005645; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005646; classtype:web-application-attack; sid:2005646; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005647; classtype:web-application-attack; sid:2005647; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005648; classtype:web-application-attack; sid:2005648; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005649; classtype:web-application-attack; sid:2005649; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"order="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005650; classtype:web-application-attack; sid:2005650; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005651; classtype:web-application-attack; sid:2005651; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005652; classtype:web-application-attack; sid:2005652; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005653; classtype:web-application-attack; sid:2005653; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005654; classtype:web-application-attack; sid:2005654; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005655; classtype:web-application-attack; sid:2005655; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005656; classtype:web-application-attack; sid:2005656; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005657; classtype:web-application-attack; sid:2005657; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005658; classtype:web-application-attack; sid:2005658; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005659; classtype:web-application-attack; sid:2005659; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005660; classtype:web-application-attack; sid:2005660; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005661; classtype:web-application-attack; sid:2005661; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005662; classtype:web-application-attack; sid:2005662; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005663; classtype:web-application-attack; sid:2005663; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005664; classtype:web-application-attack; sid:2005664; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005665; classtype:web-application-attack; sid:2005665; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005666; classtype:web-application-attack; sid:2005666; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005667; classtype:web-application-attack; sid:2005667; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE"; flow:established,to_server; uricontent:"/wbsearch.aspx?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005668; classtype:web-application-attack; sid:2005668; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname SELECT"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005669; classtype:web-application-attack; sid:2005669; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UNION SELECT"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005670; classtype:web-application-attack; sid:2005670; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname INSERT"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005671; classtype:web-application-attack; sid:2005671; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname DELETE"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005672; classtype:web-application-attack; sid:2005672; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ASCII"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005673; classtype:web-application-attack; sid:2005673; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE"; flow:established,to_server; uricontent:"/shopgiftregsearch.asp?"; nocase; uricontent:"LoginLastname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005674; classtype:web-application-attack; sid:2005674; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category SELECT"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005675; classtype:web-application-attack; sid:2005675; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UNION SELECT"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005676; classtype:web-application-attack; sid:2005676; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category INSERT"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005677; classtype:web-application-attack; sid:2005677; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category DELETE"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005678; classtype:web-application-attack; sid:2005678; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ASCII"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005679; classtype:web-application-attack; sid:2005679; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE"; flow:established,to_server; uricontent:"/shared/code/cp_functions_downloads.php?"; nocase; uricontent:"download_category="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005680; classtype:web-application-attack; sid:2005680; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id SELECT"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005681; classtype:web-application-attack; sid:2005681; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UNION SELECT"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005682; classtype:web-application-attack; sid:2005682; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id INSERT"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005683; classtype:web-application-attack; sid:2005683; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id DELETE"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005684; classtype:web-application-attack; sid:2005684; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id ASCII"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005685; classtype:web-application-attack; sid:2005685; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE"; flow:established,to_server; uricontent:"/viewad.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005686; classtype:web-application-attack; sid:2005686; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID SELECT"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005687; classtype:web-application-attack; sid:2005687; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005688; classtype:web-application-attack; sid:2005688; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID INSERT"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005689; classtype:web-application-attack; sid:2005689; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID DELETE"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005690; classtype:web-application-attack; sid:2005690; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID ASCII"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005691; classtype:web-application-attack; sid:2005691; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE"; flow:established,to_server; uricontent:"/listfull.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005692; classtype:web-application-attack; sid:2005692; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID SELECT"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005693; classtype:web-application-attack; sid:2005693; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005694; classtype:web-application-attack; sid:2005694; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID INSERT"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005695; classtype:web-application-attack; sid:2005695; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID DELETE"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005696; classtype:web-application-attack; sid:2005696; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID ASCII"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005697; classtype:web-application-attack; sid:2005697; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE"; flow:established,to_server; uricontent:"/printmain.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005698; classtype:web-application-attack; sid:2005698; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005699; classtype:web-application-attack; sid:2005699; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005700; classtype:web-application-attack; sid:2005700; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005701; classtype:web-application-attack; sid:2005701; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005702; classtype:web-application-attack; sid:2005702; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005703; classtype:web-application-attack; sid:2005703; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; uricontent:"/listmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005704; classtype:web-application-attack; sid:2005704; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005705; classtype:web-application-attack; sid:2005705; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005706; classtype:web-application-attack; sid:2005706; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005707; classtype:web-application-attack; sid:2005707; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005708; classtype:web-application-attack; sid:2005708; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005709; classtype:web-application-attack; sid:2005709; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005710; classtype:web-application-attack; sid:2005710; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005711; classtype:web-application-attack; sid:2005711; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005712; classtype:web-application-attack; sid:2005712; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat INSERT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005713; classtype:web-application-attack; sid:2005713; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat DELETE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005714; classtype:web-application-attack; sid:2005714; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat ASCII"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005715; classtype:web-application-attack; sid:2005715; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005716; classtype:web-application-attack; sid:2005716; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005717; classtype:web-application-attack; sid:2005717; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UNION SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005718; classtype:web-application-attack; sid:2005718; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword INSERT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005719; classtype:web-application-attack; sid:2005719; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword DELETE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005720; classtype:web-application-attack; sid:2005720; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword ASCII"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005721; classtype:web-application-attack; sid:2005721; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"Keyword="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005722; classtype:web-application-attack; sid:2005722; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005723; classtype:web-application-attack; sid:2005723; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UNION SELECT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005724; classtype:web-application-attack; sid:2005724; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area INSERT"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005725; classtype:web-application-attack; sid:2005725; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area DELETE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005726; classtype:web-application-attack; sid:2005726; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area ASCII"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005727; classtype:web-application-attack; sid:2005727; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE"; flow:established,to_server; uricontent:"/searchmain.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005728; classtype:web-application-attack; sid:2005728; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005729; classtype:web-application-attack; sid:2005729; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005730; classtype:web-application-attack; sid:2005730; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005731; classtype:web-application-attack; sid:2005731; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005732; classtype:web-application-attack; sid:2005732; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005733; classtype:web-application-attack; sid:2005733; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"area="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005734; classtype:web-application-attack; sid:2005734; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005735; classtype:web-application-attack; sid:2005735; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UNION SELECT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005736; classtype:web-application-attack; sid:2005736; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin INSERT"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005738; classtype:web-application-attack; sid:2005738; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin DELETE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005739; classtype:web-application-attack; sid:2005739; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin ASCII"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005740; classtype:web-application-attack; sid:2005740; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE"; flow:established,to_server; uricontent:"/searchkey.asp?"; nocase; uricontent:"searchin="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005741; classtype:web-application-attack; sid:2005741; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005742; classtype:web-application-attack; sid:2005742; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005743; classtype:web-application-attack; sid:2005743; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005744; classtype:web-application-attack; sid:2005744; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005745; classtype:web-application-attack; sid:2005745; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005746; classtype:web-application-attack; sid:2005746; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost1="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005747; classtype:web-application-attack; sid:2005747; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005748; classtype:web-application-attack; sid:2005748; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005749; classtype:web-application-attack; sid:2005749; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005750; classtype:web-application-attack; sid:2005750; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005751; classtype:web-application-attack; sid:2005751; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005752; classtype:web-application-attack; sid:2005752; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"cost2="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005753; classtype:web-application-attack; sid:2005753; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005754; classtype:web-application-attack; sid:2005754; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005755; classtype:web-application-attack; sid:2005755; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005756; classtype:web-application-attack; sid:2005756; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005757; classtype:web-application-attack; sid:2005757; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005758; classtype:web-application-attack; sid:2005758; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"acreage1="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005759; classtype:web-application-attack; sid:2005759; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005760; classtype:web-application-attack; sid:2005760; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UNION SELECT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005761; classtype:web-application-attack; sid:2005761; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 INSERT"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005762; classtype:web-application-attack; sid:2005762; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 DELETE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005763; classtype:web-application-attack; sid:2005763; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ASCII"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005764; classtype:web-application-attack; sid:2005764; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE"; flow:established,to_server; uricontent:"/searchoption.asp?"; nocase; uricontent:"squarefeet1="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005765; classtype:web-application-attack; sid:2005765; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk SELECT"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005766; classtype:web-application-attack; sid:2005766; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UNION SELECT"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005767; classtype:web-application-attack; sid:2005767; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk INSERT"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005768; classtype:web-application-attack; sid:2005768; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk DELETE"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005769; classtype:web-application-attack; sid:2005769; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk ASCII"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005770; classtype:web-application-attack; sid:2005770; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE"; flow:established,to_server; uricontent:"/newsletters/edition.php?"; nocase; uricontent:"tk="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005771; classtype:web-application-attack; sid:2005771; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005772; classtype:web-application-attack; sid:2005772; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005773; classtype:web-application-attack; sid:2005773; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005774; classtype:web-application-attack; sid:2005774; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005775; classtype:web-application-attack; sid:2005775; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005776; classtype:web-application-attack; sid:2005776; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005777; classtype:web-application-attack; sid:2005777; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName SELECT"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005778; classtype:web-application-attack; sid:2005778; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UNION SELECT"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005779; classtype:web-application-attack; sid:2005779; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName INSERT"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005780; classtype:web-application-attack; sid:2005780; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName DELETE"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005781; classtype:web-application-attack; sid:2005781; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ASCII"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005782; classtype:web-application-attack; sid:2005782; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE"; flow:established,to_server; content:"/admin_check_user.asp?"; nocase; http_uri; content:"txtUserName="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005783; classtype:web-application-attack; sid:2005783; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid SELECT"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005784; classtype:web-application-attack; sid:2005784; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UNION SELECT"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005785; classtype:web-application-attack; sid:2005785; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid INSERT"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005786; classtype:web-application-attack; sid:2005786; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid DELETE"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005787; classtype:web-application-attack; sid:2005787; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid ASCII"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005788; classtype:web-application-attack; sid:2005788; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE"; flow:established,to_server; uricontent:"/comment.php?"; nocase; uricontent:"subid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005789; classtype:web-application-attack; sid:2005789; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID SELECT"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005790; classtype:web-application-attack; sid:2005790; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UNION SELECT"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005791; classtype:web-application-attack; sid:2005791; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID INSERT"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005792; classtype:web-application-attack; sid:2005792; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID DELETE"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005793; classtype:web-application-attack; sid:2005793; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ASCII"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005794; classtype:web-application-attack; sid:2005794; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE"; flow:established,to_server; uricontent:"/orange.asp?"; nocase; uricontent:"CatID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005795; classtype:web-application-attack; sid:2005795; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005796; classtype:web-application-attack; sid:2005796; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005797; classtype:web-application-attack; sid:2005797; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005798; classtype:web-application-attack; sid:2005798; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005799; classtype:web-application-attack; sid:2005799; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005800; classtype:web-application-attack; sid:2005800; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005801; classtype:web-application-attack; sid:2005801; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; content:"/plugins/user/example.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005802; classtype:web-application-attack; sid:2005802; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id INSERT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005804; classtype:web-application-attack; sid:2005804; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id DELETE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005806; classtype:web-application-attack; sid:2005806; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005807; classtype:web-application-attack; sid:2005807; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UNION SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005808; classtype:web-application-attack; sid:2005808; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id ASCII"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005809; classtype:web-application-attack; sid:2005809; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005810; classtype:web-application-attack; sid:2005810; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005811; classtype:web-application-attack; sid:2005811; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UNION SELECT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005812; classtype:web-application-attack; sid:2005812; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie INSERT"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005813; classtype:web-application-attack; sid:2005813; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie DELETE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005814; classtype:web-application-attack; sid:2005814; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ASCII"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005815; classtype:web-application-attack; sid:2005815; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE"; flow:established,to_server; uricontent:"/display_review.php?"; nocase; uricontent:"user_login_cookie="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005816; classtype:web-application-attack; sid:2005816; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id SELECT"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005817; classtype:web-application-attack; sid:2005817; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UNION SELECT"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005818; classtype:web-application-attack; sid:2005818; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id INSERT"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005819; classtype:web-application-attack; sid:2005819; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id DELETE"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005820; classtype:web-application-attack; sid:2005820; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ASCII"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005821; classtype:web-application-attack; sid:2005821; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE"; flow:established,to_server; uricontent:"/compare_product.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005822; classtype:web-application-attack; sid:2005822; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005823; classtype:web-application-attack; sid:2005823; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005824; classtype:web-application-attack; sid:2005824; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005825; classtype:web-application-attack; sid:2005825; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005826; classtype:web-application-attack; sid:2005826; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005827; classtype:web-application-attack; sid:2005827; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005828; classtype:web-application-attack; sid:2005828; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005829; classtype:web-application-attack; sid:2005829; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005830; classtype:web-application-attack; sid:2005830; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005831; classtype:web-application-attack; sid:2005831; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005832; classtype:web-application-attack; sid:2005832; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII"; flow:established,to_server; content:"/main.asp?"; nocase; http_uri; content:"subcatID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005833; classtype:web-application-attack; sid:2005833; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE"; flow:established,to_server; uricontent:"/main.asp?"; nocase; uricontent:"subcatID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005834; classtype:web-application-attack; sid:2005834; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id SELECT"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005835; classtype:web-application-attack; sid:2005835; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UNION SELECT"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005836; classtype:web-application-attack; sid:2005836; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id INSERT"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005837; classtype:web-application-attack; sid:2005837; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id DELETE"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005838; classtype:web-application-attack; sid:2005838; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id ASCII"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005839; classtype:web-application-attack; sid:2005839; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE"; flow:established,to_server; content:"/info_book.asp?"; nocase; http_uri; content:"book_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005840; classtype:web-application-attack; sid:2005840; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat SELECT"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005841; classtype:web-application-attack; sid:2005841; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UNION SELECT"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005842; classtype:web-application-attack; sid:2005842; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005843; classtype:web-application-attack; sid:2005843; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat DELETE"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005844; classtype:web-application-attack; sid:2005844; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ASCII"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005845; classtype:web-application-attack; sid:2005845; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE"; flow:established,to_server; content:"/albmgr.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005846; classtype:web-application-attack; sid:2005846; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005847; classtype:web-application-attack; sid:2005847; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UNION SELECT"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005848; classtype:web-application-attack; sid:2005848; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid INSERT"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005849; classtype:web-application-attack; sid:2005849; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; classtype:web-application-attack; sid:2005850; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ASCII"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005851; classtype:web-application-attack; sid:2005851; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE"; flow:established,to_server; content:"/usermgr.php?"; nocase; http_uri; content:"gid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005852; classtype:web-application-attack; sid:2005852; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start SELECT"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005853; classtype:web-application-attack; sid:2005853; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UNION SELECT"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005854; classtype:web-application-attack; sid:2005854; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start INSERT"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005855; classtype:web-application-attack; sid:2005855; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start DELETE"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005856; classtype:web-application-attack; sid:2005856; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ASCII"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005857; classtype:web-application-attack; sid:2005857; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE"; flow:established,to_server; content:"/db_ecard.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005858; classtype:web-application-attack; sid:2005858; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid SELECT"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005859; classtype:web-application-attack; sid:2005859; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UNION SELECT"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005860; classtype:web-application-attack; sid:2005860; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid INSERT"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005861; classtype:web-application-attack; sid:2005861; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid DELETE"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005862; classtype:web-application-attack; sid:2005862; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid ASCII"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005863; classtype:web-application-attack; sid:2005863; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE"; flow:established,to_server; content:"/cats.asp?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005864; classtype:web-application-attack; sid:2005864; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id SELECT"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005871; classtype:web-application-attack; sid:2005871; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UNION SELECT"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005872; classtype:web-application-attack; sid:2005872; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id INSERT"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005873; classtype:web-application-attack; sid:2005873; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id DELETE"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005874; classtype:web-application-attack; sid:2005874; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id ASCII"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005875; classtype:web-application-attack; sid:2005875; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE"; flow:established,to_server; uricontent:"/page.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005876; classtype:web-application-attack; sid:2005876; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id SELECT"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005877; classtype:web-application-attack; sid:2005877; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UNION SELECT"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005878; classtype:web-application-attack; sid:2005878; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id INSERT"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005879; classtype:web-application-attack; sid:2005879; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id DELETE"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005880; classtype:web-application-attack; sid:2005880; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ASCII"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005881; classtype:web-application-attack; sid:2005881; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE"; flow:established,to_server; content:"/productdetail.asp?"; nocase; http_uri; content:"product_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005882; classtype:web-application-attack; sid:2005882; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005883; classtype:web-application-attack; sid:2005883; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005884; classtype:web-application-attack; sid:2005884; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005885; classtype:web-application-attack; sid:2005885; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005886; classtype:web-application-attack; sid:2005886; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005887; classtype:web-application-attack; sid:2005887; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iPro="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005888; classtype:web-application-attack; sid:2005888; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id SELECT"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005889; classtype:web-application-attack; sid:2005889; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UNION SELECT"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005890; classtype:web-application-attack; sid:2005890; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id INSERT"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005891; classtype:web-application-attack; sid:2005891; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id DELETE"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005892; classtype:web-application-attack; sid:2005892; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ASCII"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005893; classtype:web-application-attack; sid:2005893; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE"; flow:established,to_server; uricontent:"/haberdetay.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005894; classtype:web-application-attack; sid:2005894; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005895; classtype:web-application-attack; sid:2005895; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005896; classtype:web-application-attack; sid:2005896; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005897; classtype:web-application-attack; sid:2005897; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005898; classtype:web-application-attack; sid:2005898; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005899; classtype:web-application-attack; sid:2005899; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ordernum="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005900; classtype:web-application-attack; sid:2005900; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005901; classtype:web-application-attack; sid:2005901; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005902; classtype:web-application-attack; sid:2005902; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005903; classtype:web-application-attack; sid:2005903; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005904; classtype:web-application-attack; sid:2005904; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005905; classtype:web-application-attack; sid:2005905; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newmessage="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005906; classtype:web-application-attack; sid:2005906; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005907; classtype:web-application-attack; sid:2005907; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005908; classtype:web-application-attack; sid:2005908; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005909; classtype:web-application-attack; sid:2005909; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005910; classtype:web-application-attack; sid:2005910; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005911; classtype:web-application-attack; sid:2005911; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005912; classtype:web-application-attack; sid:2005912; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005913; classtype:web-application-attack; sid:2005913; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005914; classtype:web-application-attack; sid:2005914; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005915; classtype:web-application-attack; sid:2005915; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005916; classtype:web-application-attack; sid:2005916; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005917; classtype:web-application-attack; sid:2005917; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newwebsite="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005918; classtype:web-application-attack; sid:2005918; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005919; classtype:web-application-attack; sid:2005919; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UNION SELECT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005920; classtype:web-application-attack; sid:2005920; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail INSERT"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005921; classtype:web-application-attack; sid:2005921; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail DELETE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005922; classtype:web-application-attack; sid:2005922; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail ASCII"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005923; classtype:web-application-attack; sid:2005923; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE"; flow:established,to_server; uricontent:"/code/guestadd.php?"; nocase; uricontent:"newemail="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005924; classtype:web-application-attack; sid:2005924; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005925; classtype:web-application-attack; sid:2005925; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UNION SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005926; classtype:web-application-attack; sid:2005926; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did INSERT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005927; classtype:web-application-attack; sid:2005927; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did DELETE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005928; classtype:web-application-attack; sid:2005928; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did ASCII"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005929; classtype:web-application-attack; sid:2005929; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"did="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005930; classtype:web-application-attack; sid:2005930; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005931; classtype:web-application-attack; sid:2005931; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UNION SELECT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005932; classtype:web-application-attack; sid:2005932; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid INSERT"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005933; classtype:web-application-attack; sid:2005933; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid DELETE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005934; classtype:web-application-attack; sid:2005934; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid ASCII"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005935; classtype:web-application-attack; sid:2005935; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE"; flow:established,to_server; uricontent:"/mod.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005936; classtype:web-application-attack; sid:2005936; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate SELECT"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005937; classtype:web-application-attack; sid:2005937; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UNION SELECT"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005938; classtype:web-application-attack; sid:2005938; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate INSERT"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005939; classtype:web-application-attack; sid:2005939; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate DELETE"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005940; classtype:web-application-attack; sid:2005940; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ASCII"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005941; classtype:web-application-attack; sid:2005941; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE"; flow:established,to_server; uricontent:"/login/register.asp?"; nocase; uricontent:"UserUpdate="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005942; classtype:web-application-attack; sid:2005942; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp SELECT"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005943; classtype:web-application-attack; sid:2005943; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UNION SELECT"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005944; classtype:web-application-attack; sid:2005944; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp INSERT"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005945; classtype:web-application-attack; sid:2005945; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp DELETE"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005946; classtype:web-application-attack; sid:2005946; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp ASCII"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005947; classtype:web-application-attack; sid:2005947; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE"; flow:established,to_server; uricontent:"/includes/a_register.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005948; classtype:web-application-attack; sid:2005948; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key SELECT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005949; classtype:web-application-attack; sid:2005949; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UNION SELECT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005950; classtype:web-application-attack; sid:2005950; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key INSERT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005951; classtype:web-application-attack; sid:2005951; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key DELETE"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005952; classtype:web-application-attack; sid:2005952; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ASCII"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005953; classtype:web-application-attack; sid:2005953; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005954; classtype:web-application-attack; sid:2005954; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num SELECT"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005955; classtype:web-application-attack; sid:2005955; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UNION SELECT"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005956; classtype:web-application-attack; sid:2005956; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num INSERT"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005957; classtype:web-application-attack; sid:2005957; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num DELETE"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005958; classtype:web-application-attack; sid:2005958; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ASCII"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005959; classtype:web-application-attack; sid:2005959; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE"; flow:established,to_server; content:"/phonemessage.asp?"; http_uri; nocase; content:"num="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005960; classtype:web-application-attack; sid:2005960; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005961; classtype:web-application-attack; sid:2005961; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005962; classtype:web-application-attack; sid:2005962; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005963; classtype:web-application-attack; sid:2005963; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005964; classtype:web-application-attack; sid:2005964; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005965; classtype:web-application-attack; sid:2005965; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; content:"/faqDsp.asp?"; http_uri; nocase; content:"catcode="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005966; classtype:web-application-attack; sid:2005966; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005967; classtype:web-application-attack; sid:2005967; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005968; classtype:web-application-attack; sid:2005968; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005969; classtype:web-application-attack; sid:2005969; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005970; classtype:web-application-attack; sid:2005970; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005971; classtype:web-application-attack; sid:2005971; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE"; flow:established,to_server; uricontent:"/admin/admin_acronyms.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005972; classtype:web-application-attack; sid:2005972; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005973; classtype:web-application-attack; sid:2005973; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005974; classtype:web-application-attack; sid:2005974; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005975; classtype:web-application-attack; sid:2005975; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005976; classtype:web-application-attack; sid:2005976; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005977; classtype:web-application-attack; sid:2005977; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE"; flow:established,to_server; content:"/journal.php?"; nocase; http_uri; content:"w="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005978; classtype:web-application-attack; sid:2005978; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005979; classtype:web-application-attack; sid:2005979; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005980; classtype:web-application-attack; sid:2005980; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005981; classtype:web-application-attack; sid:2005981; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005982; classtype:web-application-attack; sid:2005982; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005983; classtype:web-application-attack; sid:2005983; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; uricontent:"/faqDsp.asp?"; nocase; uricontent:"catcode="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005984; classtype:web-application-attack; sid:2005984; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005985; classtype:web-application-attack; sid:2005985; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UNION SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005986; classtype:web-application-attack; sid:2005986; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup INSERT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005987; classtype:web-application-attack; sid:2005987; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup DELETE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005988; classtype:web-application-attack; sid:2005988; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup ASCII"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005989; classtype:web-application-attack; sid:2005989; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005990; classtype:web-application-attack; sid:2005990; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005991; classtype:web-application-attack; sid:2005991; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005992; classtype:web-application-attack; sid:2005992; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005993; classtype:web-application-attack; sid:2005993; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005994; classtype:web-application-attack; sid:2005994; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005995; classtype:web-application-attack; sid:2005995; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005996; classtype:web-application-attack; sid:2005996; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005997; classtype:web-application-attack; sid:2005997; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UNION SELECT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005998; classtype:web-application-attack; sid:2005998; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id INSERT"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005999; classtype:web-application-attack; sid:2005999; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id DELETE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006000; classtype:web-application-attack; sid:2006000; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id ASCII"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006001; classtype:web-application-attack; sid:2006001; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE"; flow:established,to_server; content:"/admin.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006002; classtype:web-application-attack; sid:2006002; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006003; classtype:web-application-attack; sid:2006003; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006004; classtype:web-application-attack; sid:2006004; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006005; classtype:web-application-attack; sid:2006005; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006006; classtype:web-application-attack; sid:2006006; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006007; classtype:web-application-attack; sid:2006007; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"lastname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006008; classtype:web-application-attack; sid:2006008; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006009; classtype:web-application-attack; sid:2006009; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006010; classtype:web-application-attack; sid:2006010; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006011; classtype:web-application-attack; sid:2006011; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006012; classtype:web-application-attack; sid:2006012; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006013; classtype:web-application-attack; sid:2006013; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"firstname="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006014; classtype:web-application-attack; sid:2006014; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006015; classtype:web-application-attack; sid:2006015; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006016; classtype:web-application-attack; sid:2006016; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006017; classtype:web-application-attack; sid:2006017; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006018; classtype:web-application-attack; sid:2006018; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006019; classtype:web-application-attack; sid:2006019; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordOld="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006020; classtype:web-application-attack; sid:2006020; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006021; classtype:web-application-attack; sid:2006021; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; content:"passwordNew="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006022; classtype:web-application-attack; sid:2006022; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006023; classtype:web-application-attack; sid:2006023; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006024; classtype:web-application-attack; sid:2006024; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006025; classtype:web-application-attack; sid:2006025; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"passwordNew="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006026; classtype:web-application-attack; sid:2006026; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006027; classtype:web-application-attack; sid:2006027; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006028; classtype:web-application-attack; sid:2006028; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006029; classtype:web-application-attack; sid:2006029; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006030; classtype:web-application-attack; sid:2006030; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006031; classtype:web-application-attack; sid:2006031; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006032; classtype:web-application-attack; sid:2006032; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006033; classtype:web-application-attack; sid:2006033; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006034; classtype:web-application-attack; sid:2006034; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006035; classtype:web-application-attack; sid:2006035; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006036; classtype:web-application-attack; sid:2006036; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006037; classtype:web-application-attack; sid:2006037; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"language="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006038; classtype:web-application-attack; sid:2006038; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006039; classtype:web-application-attack; sid:2006039; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006040; classtype:web-application-attack; sid:2006040; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006041; classtype:web-application-attack; sid:2006041; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006042; classtype:web-application-attack; sid:2006042; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006043; classtype:web-application-attack; sid:2006043; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"defaultLetter="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006044; classtype:web-application-attack; sid:2006044; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006045; classtype:web-application-attack; sid:2006045; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006046; classtype:web-application-attack; sid:2006046; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006047; classtype:web-application-attack; sid:2006047; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006048; classtype:web-application-attack; sid:2006048; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006049; classtype:web-application-attack; sid:2006049; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserPass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006050; classtype:web-application-attack; sid:2006050; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006051; classtype:web-application-attack; sid:2006051; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006052; classtype:web-application-attack; sid:2006052; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006053; classtype:web-application-attack; sid:2006053; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006054; classtype:web-application-attack; sid:2006054; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006055; classtype:web-application-attack; sid:2006055; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserType="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006056; classtype:web-application-attack; sid:2006056; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006057; classtype:web-application-attack; sid:2006057; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UNION SELECT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006058; classtype:web-application-attack; sid:2006058; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail INSERT"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006059; classtype:web-application-attack; sid:2006059; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail DELETE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006060; classtype:web-application-attack; sid:2006060; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail ASCII"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006061; classtype:web-application-attack; sid:2006061; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE"; flow:established,to_server; uricontent:"/user.php?"; nocase; uricontent:"newuserEmail="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006062; classtype:web-application-attack; sid:2006062; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006063; classtype:web-application-attack; sid:2006063; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006064; classtype:web-application-attack; sid:2006064; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006065; classtype:web-application-attack; sid:2006065; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006066; classtype:web-application-attack; sid:2006066; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006067; classtype:web-application-attack; sid:2006067; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"goTo="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006068; classtype:web-application-attack; sid:2006068; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006069; classtype:web-application-attack; sid:2006069; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UNION SELECT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006070; classtype:web-application-attack; sid:2006070; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search INSERT"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006071; classtype:web-application-attack; sid:2006071; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search DELETE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006072; classtype:web-application-attack; sid:2006072; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search ASCII"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006073; classtype:web-application-attack; sid:2006073; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE"; flow:established,to_server; uricontent:"/search.php?"; nocase; uricontent:"search="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006074; classtype:web-application-attack; sid:2006074; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName SELECT"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006075; classtype:web-application-attack; sid:2006075; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UNION SELECT"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006076; classtype:web-application-attack; sid:2006076; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName INSERT"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006077; classtype:web-application-attack; sid:2006077; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName DELETE"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006078; classtype:web-application-attack; sid:2006078; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName ASCII"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006079; classtype:web-application-attack; sid:2006079; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE"; flow:established,to_server; uricontent:"/save.php?"; nocase; uricontent:"groupAddName="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006080; classtype:web-application-attack; sid:2006080; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp SELECT"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006081; classtype:web-application-attack; sid:2006081; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UNION SELECT"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006082; classtype:web-application-attack; sid:2006082; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp INSERT"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006083; classtype:web-application-attack; sid:2006083; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp DELETE"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006084; classtype:web-application-attack; sid:2006084; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ASCII"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006085; classtype:web-application-attack; sid:2006085; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE"; flow:established,to_server; content:"/set_preferences.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006086; classtype:web-application-attack; sid:2006086; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006087; classtype:web-application-attack; sid:2006087; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri;content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; classtype:web-application-attack; sid:2006088; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006089; classtype:web-application-attack; sid:2006089; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp DELETE"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006090; classtype:web-application-attack; sid:2006090; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ASCII"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006091; classtype:web-application-attack; sid:2006091; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE"; flow:established,to_server; content:"/send_password_preferences.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006092; classtype:web-application-attack; sid:2006092; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp SELECT"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006093; classtype:web-application-attack; sid:2006093; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UNION SELECT"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006094; classtype:web-application-attack; sid:2006094; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp INSERT"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006095; classtype:web-application-attack; sid:2006095; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp DELETE"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006096; classtype:web-application-attack; sid:2006096; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ASCII"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006097; classtype:web-application-attack; sid:2006097; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE"; flow:established,to_server; content:"/SecureLoginManager/list.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006098; classtype:web-application-attack; sid:2006098; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent SELECT"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006099; classtype:web-application-attack; sid:2006099; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UNION SELECT"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006100; classtype:web-application-attack; sid:2006100; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent INSERT"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006101; classtype:web-application-attack; sid:2006101; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent DELETE"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006102; classtype:web-application-attack; sid:2006102; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ASCII"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006103; classtype:web-application-attack; sid:2006103; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE"; flow:established,to_server; content:"/login.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006104; classtype:web-application-attack; sid:2006104; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent SELECT"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006105; classtype:web-application-attack; sid:2006105; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UNION SELECT"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006106; classtype:web-application-attack; sid:2006106; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent INSERT"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006107; classtype:web-application-attack; sid:2006107; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent DELETE"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006108; classtype:web-application-attack; sid:2006108; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ASCII"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006109; classtype:web-application-attack; sid:2006109; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE"; flow:established,to_server; content:"/content.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006110; classtype:web-application-attack; sid:2006110; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent SELECT"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006111; classtype:web-application-attack; sid:2006111; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UNION SELECT"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006112; classtype:web-application-attack; sid:2006112; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent INSERT"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006113; classtype:web-application-attack; sid:2006113; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent DELETE"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006114; classtype:web-application-attack; sid:2006114; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ASCII"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006115; classtype:web-application-attack; sid:2006115; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; content:"/members.asp?"; nocase; http_uri; content:"sent="; nocase; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; classtype:web-application-attack; sid:2006116; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent SELECT"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006117; classtype:web-application-attack; sid:2006117; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UNION SELECT"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006118; classtype:web-application-attack; sid:2006118; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent INSERT"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006119; classtype:web-application-attack; sid:2006119; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent DELETE"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006120; classtype:web-application-attack; sid:2006120; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ASCII"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006121; classtype:web-application-attack; sid:2006121; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE"; flow:established,to_server; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; http_uri; content:"sent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006122; classtype:web-application-attack; sid:2006122; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006123; classtype:web-application-attack; sid:2006123; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006124; classtype:web-application-attack; sid:2006124; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006125; classtype:web-application-attack; sid:2006125; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006126; classtype:web-application-attack; sid:2006126; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006127; classtype:web-application-attack; sid:2006127; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006128; classtype:web-application-attack; sid:2006128; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent SELECT"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006129; classtype:web-application-attack; sid:2006129; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UNION SELECT"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006130; classtype:web-application-attack; sid:2006130; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent INSERT"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006131; classtype:web-application-attack; sid:2006131; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent DELETE"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006132; classtype:web-application-attack; sid:2006132; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ASCII"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006133; classtype:web-application-attack; sid:2006133; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE"; flow:established,to_server; uricontent:"/list.asp?"; nocase; uricontent:"agent="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006134; classtype:web-application-attack; sid:2006134; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID SELECT"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006135; classtype:web-application-attack; sid:2006135; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UNION SELECT"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006136; classtype:web-application-attack; sid:2006136; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID INSERT"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006137; classtype:web-application-attack; sid:2006137; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID DELETE"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006138; classtype:web-application-attack; sid:2006138; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ASCII"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006139; classtype:web-application-attack; sid:2006139; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE"; flow:established,to_server; content:"/newsdetail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006140; classtype:web-application-attack; sid:2006140; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID SELECT"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006141; classtype:web-application-attack; sid:2006141; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UNION SELECT"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006142; classtype:web-application-attack; sid:2006142; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID INSERT"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006143; classtype:web-application-attack; sid:2006143; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID DELETE"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006144; classtype:web-application-attack; sid:2006144; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006145; classtype:web-application-attack; sid:2006145; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE"; flow:established,to_server; content:"/bus_details.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006146; classtype:web-application-attack; sid:2006146; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id SELECT"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006147; classtype:web-application-attack; sid:2006147; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UNION SELECT"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006148; classtype:web-application-attack; sid:2006148; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id INSERT"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006149; classtype:web-application-attack; sid:2006149; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id DELETE"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006150; classtype:web-application-attack; sid:2006150; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ASCII"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006151; classtype:web-application-attack; sid:2006151; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE"; flow:established,to_server; content:"/Types.asp?"; nocase; http_uri; content:"Type_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006152; classtype:web-application-attack; sid:2006152; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID SELECT"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006153; classtype:web-application-attack; sid:2006153; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UNION SELECT"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006154; classtype:web-application-attack; sid:2006154; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID INSERT"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006155; classtype:web-application-attack; sid:2006155; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID DELETE"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006156; classtype:web-application-attack; sid:2006156; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ASCII"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006157; classtype:web-application-attack; sid:2006157; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE"; flow:established,to_server; content:"/actualpic.asp?"; nocase; http_uri; content:"Biz_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006158; classtype:web-application-attack; sid:2006158; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006159; classtype:web-application-attack; sid:2006159; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006160; classtype:web-application-attack; sid:2006160; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006161; classtype:web-application-attack; sid:2006161; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006162; classtype:web-application-attack; sid:2006162; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006163; classtype:web-application-attack; sid:2006163; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"grup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006164; classtype:web-application-attack; sid:2006164; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID SELECT"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006165; classtype:web-application-attack; sid:2006165; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UNION SELECT"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006166; classtype:web-application-attack; sid:2006166; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID INSERT"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006167; classtype:web-application-attack; sid:2006167; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID DELETE"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006168; classtype:web-application-attack; sid:2006168; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ASCII"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006169; classtype:web-application-attack; sid:2006169; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE"; flow:established,to_server; content:"/calendar_detail.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006170; classtype:web-application-attack; sid:2006170; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006171; classtype:web-application-attack; sid:2006171; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UNION SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006172; classtype:web-application-attack; sid:2006172; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse INSERT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006173; classtype:web-application-attack; sid:2006173; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse DELETE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006174; classtype:web-application-attack; sid:2006174; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ASCII"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006175; classtype:web-application-attack; sid:2006175; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtUse="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006176; classtype:web-application-attack; sid:2006176; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006177; classtype:web-application-attack; sid:2006177; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UNION SELECT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006178; classtype:web-application-attack; sid:2006178; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas INSERT"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006179; classtype:web-application-attack; sid:2006179; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas DELETE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006180; classtype:web-application-attack; sid:2006180; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ASCII"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006181; classtype:web-application-attack; sid:2006181; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE"; flow:established,to_server; uricontent:"/SelGruFra.asp?"; nocase; uricontent:"txtPas="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006182; classtype:web-application-attack; sid:2006182; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID SELECT"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006183; classtype:web-application-attack; sid:2006183; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UNION SELECT"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006184; classtype:web-application-attack; sid:2006184; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID INSERT"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006185; classtype:web-application-attack; sid:2006185; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID DELETE"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006186; classtype:web-application-attack; sid:2006186; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ASCII"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006187; classtype:web-application-attack; sid:2006187; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE"; flow:established,to_server; content:"/admin/admin_mail_adressee.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006188; classtype:web-application-attack; sid:2006188; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006189; classtype:web-application-attack; sid:2006189; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006190; classtype:web-application-attack; sid:2006190; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006191; classtype:web-application-attack; sid:2006191; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006192; classtype:web-application-attack; sid:2006192; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006193; classtype:web-application-attack; sid:2006193; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006194; classtype:web-application-attack; sid:2006194; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006195; classtype:web-application-attack; sid:2006195; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006196; classtype:web-application-attack; sid:2006196; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006197; classtype:web-application-attack; sid:2006197; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006198; classtype:web-application-attack; sid:2006198; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006199; classtype:web-application-attack; sid:2006199; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006200; classtype:web-application-attack; sid:2006200; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006201; classtype:web-application-attack; sid:2006201; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006202; classtype:web-application-attack; sid:2006202; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006203; classtype:web-application-attack; sid:2006203; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006204; classtype:web-application-attack; sid:2006204; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006205; classtype:web-application-attack; sid:2006205; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"langId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006206; classtype:web-application-attack; sid:2006206; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id SELECT"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006207; classtype:web-application-attack; sid:2006207; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UNION SELECT"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006208; classtype:web-application-attack; sid:2006208; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id INSERT"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006209; classtype:web-application-attack; sid:2006209; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id DELETE"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006210; classtype:web-application-attack; sid:2006210; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ASCII"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006211; classtype:web-application-attack; sid:2006211; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE"; flow:established,to_server; content:"/ixm_ixpnews.php?"; nocase; http_uri; content:"story_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006212; classtype:web-application-attack; sid:2006212; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news SELECT"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006213; classtype:web-application-attack; sid:2006213; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UNION SELECT"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006214; classtype:web-application-attack; sid:2006214; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news INSERT"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006215; classtype:web-application-attack; sid:2006215; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news DELETE"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006216; classtype:web-application-attack; sid:2006216; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news ASCII"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006217; classtype:web-application-attack; sid:2006217; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE"; flow:established,to_server; uricontent:"/show_news.php?"; nocase; uricontent:"id_news="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006218; classtype:web-application-attack; sid:2006218; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user SELECT"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006219; classtype:web-application-attack; sid:2006219; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UNION SELECT"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006220; classtype:web-application-attack; sid:2006220; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user INSERT"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006221; classtype:web-application-attack; sid:2006221; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user DELETE"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006222; classtype:web-application-attack; sid:2006222; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ASCII"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006223; classtype:web-application-attack; sid:2006223; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE"; flow:established,to_server; content:"/administration/administre2.php?"; nocase; http_uri; content:"id_user="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006224; classtype:web-application-attack; sid:2006224; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006225; classtype:web-application-attack; sid:2006225; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006226; classtype:web-application-attack; sid:2006226; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006227; classtype:web-application-attack; sid:2006227; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006228; classtype:web-application-attack; sid:2006228; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006229; classtype:web-application-attack; sid:2006229; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006230; classtype:web-application-attack; sid:2006230; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006231; classtype:web-application-attack; sid:2006231; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006232; classtype:web-application-attack; sid:2006232; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006233; classtype:web-application-attack; sid:2006233; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006234; classtype:web-application-attack; sid:2006234; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006235; classtype:web-application-attack; sid:2006235; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006236; classtype:web-application-attack; sid:2006236; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006237; classtype:web-application-attack; sid:2006237; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006238; classtype:web-application-attack; sid:2006238; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006239; classtype:web-application-attack; sid:2006239; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006240; classtype:web-application-attack; sid:2006240; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006241; classtype:web-application-attack; sid:2006241; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"typ="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006242; classtype:web-application-attack; sid:2006242; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006243; classtype:web-application-attack; sid:2006243; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006244; classtype:web-application-attack; sid:2006244; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006245; classtype:web-application-attack; sid:2006245; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006246; classtype:web-application-attack; sid:2006246; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006247; classtype:web-application-attack; sid:2006247; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE"; flow:established,to_server; content:"/listings.asp?"; nocase; http_uri; content:"loc="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006248; classtype:web-application-attack; sid:2006248; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006249; classtype:web-application-attack; sid:2006249; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UNION SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006250; classtype:web-application-attack; sid:2006250; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid INSERT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006251; classtype:web-application-attack; sid:2006251; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid DELETE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006252; classtype:web-application-attack; sid:2006252; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ASCII"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006253; classtype:web-application-attack; sid:2006253; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006254; classtype:web-application-attack; sid:2006254; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006255; classtype:web-application-attack; sid:2006255; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UNION SELECT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006256; classtype:web-application-attack; sid:2006256; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id INSERT"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006257; classtype:web-application-attack; sid:2006257; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id DELETE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006258; classtype:web-application-attack; sid:2006258; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ASCII"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006259; classtype:web-application-attack; sid:2006259; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE"; flow:established,to_server; content:"/HABERLER.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006260; classtype:web-application-attack; sid:2006260; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006261; classtype:web-application-attack; sid:2006261; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UNION SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006262; classtype:web-application-attack; sid:2006262; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id INSERT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006263; classtype:web-application-attack; sid:2006263; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id DELETE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006264; classtype:web-application-attack; sid:2006264; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ASCII"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006265; classtype:web-application-attack; sid:2006265; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006266; classtype:web-application-attack; sid:2006266; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006267; classtype:web-application-attack; sid:2006267; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UNION SELECT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006268; classtype:web-application-attack; sid:2006268; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid INSERT"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006269; classtype:web-application-attack; sid:2006269; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid DELETE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006270; classtype:web-application-attack; sid:2006270; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ASCII"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006271; classtype:web-application-attack; sid:2006271; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE"; flow:established,to_server; content:"/ASPKAT.ASP?"; nocase; http_uri; content:"kid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006272; classtype:web-application-attack; sid:2006272; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006273; classtype:web-application-attack; sid:2006273; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006274; classtype:web-application-attack; sid:2006274; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006275; classtype:web-application-attack; sid:2006275; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006276; classtype:web-application-attack; sid:2006276; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006277; classtype:web-application-attack; sid:2006277; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; content:"/down.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006278; classtype:web-application-attack; sid:2006278; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006279; classtype:web-application-attack; sid:2006279; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UNION SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006280; classtype:web-application-attack; sid:2006280; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod INSERT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006281; classtype:web-application-attack; sid:2006281; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod DELETE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006282; classtype:web-application-attack; sid:2006282; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod ASCII"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006283; classtype:web-application-attack; sid:2006283; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006284; classtype:web-application-attack; sid:2006284; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006285; classtype:web-application-attack; sid:2006285; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UNION SELECT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006286; classtype:web-application-attack; sid:2006286; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick INSERT"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006287; classtype:web-application-attack; sid:2006287; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick DELETE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006288; classtype:web-application-attack; sid:2006288; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick ASCII"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006289; classtype:web-application-attack; sid:2006289; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE"; flow:established,to_server; uricontent:"/repass.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006290; classtype:web-application-attack; sid:2006290; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006291; classtype:web-application-attack; sid:2006291; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UNION SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006292; classtype:web-application-attack; sid:2006292; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick INSERT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006293; classtype:web-application-attack; sid:2006293; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick DELETE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006294; classtype:web-application-attack; sid:2006294; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick ASCII"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006295; classtype:web-application-attack; sid:2006295; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006296; classtype:web-application-attack; sid:2006296; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006297; classtype:web-application-attack; sid:2006297; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UNION SELECT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006298; classtype:web-application-attack; sid:2006298; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod INSERT"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006299; classtype:web-application-attack; sid:2006299; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod DELETE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006300; classtype:web-application-attack; sid:2006300; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod ASCII"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006301; classtype:web-application-attack; sid:2006301; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE"; flow:established,to_server; uricontent:"/verify.php?"; nocase; uricontent:"nick_mod="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006302; classtype:web-application-attack; sid:2006302; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id SELECT"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006303; classtype:web-application-attack; sid:2006303; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UNION SELECT"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006304; classtype:web-application-attack; sid:2006304; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id INSERT"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006305; classtype:web-application-attack; sid:2006305; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id DELETE"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006306; classtype:web-application-attack; sid:2006306; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ASCII"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006307; classtype:web-application-attack; sid:2006307; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE"; flow:established,to_server; content:"/haber.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006308; classtype:web-application-attack; sid:2006308; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid SELECT"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006309; classtype:web-application-attack; sid:2006309; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UNION SELECT"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006310; classtype:web-application-attack; sid:2006310; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid INSERT"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006311; classtype:web-application-attack; sid:2006311; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid DELETE"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006312; classtype:web-application-attack; sid:2006312; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ASCII"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006313; classtype:web-application-attack; sid:2006313; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE"; flow:established,to_server; uricontent:"/utilities/usermessages.asp?"; nocase; uricontent:"mesid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006314; classtype:web-application-attack; sid:2006314; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006315; classtype:web-application-attack; sid:2006315; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006316; classtype:web-application-attack; sid:2006316; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006317; classtype:web-application-attack; sid:2006317; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006318; classtype:web-application-attack; sid:2006318; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006319; classtype:web-application-attack; sid:2006319; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006320; classtype:web-application-attack; sid:2006320; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006321; classtype:web-application-attack; sid:2006321; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006322; classtype:web-application-attack; sid:2006322; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006323; classtype:web-application-attack; sid:2006323; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006324; classtype:web-application-attack; sid:2006324; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006325; classtype:web-application-attack; sid:2006325; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE"; flow:established,to_server; content:"/ProductDetails.asp?"; nocase; http_uri; content:"PID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006326; classtype:web-application-attack; sid:2006326; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006327; classtype:web-application-attack; sid:2006327; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006328; classtype:web-application-attack; sid:2006328; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006329; classtype:web-application-attack; sid:2006329; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006330; classtype:web-application-attack; sid:2006330; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006331; classtype:web-application-attack; sid:2006331; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006332; classtype:web-application-attack; sid:2006332; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php SELECT"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006333; classtype:web-application-attack; sid:2006333; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UNION SELECT"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006334; classtype:web-application-attack; sid:2006334; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php INSERT"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006335; classtype:web-application-attack; sid:2006335; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php DELETE"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006336; classtype:web-application-attack; sid:2006336; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php ASCII"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006337; classtype:web-application-attack; sid:2006337; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006338; classtype:web-application-attack; sid:2006338; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp SELECT"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006339; classtype:web-application-attack; sid:2006339; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UNION SELECT"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006340; classtype:web-application-attack; sid:2006340; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp INSERT"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006341; classtype:web-application-attack; sid:2006341; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp DELETE"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006342; classtype:web-application-attack; sid:2006342; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp ASCII"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006343; classtype:web-application-attack; sid:2006343; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE"; flow:established,to_server; content:"/vdateUsr.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006344; classtype:web-application-attack; sid:2006344; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; content:"/lire-avis.php?"; http_uri; nocase; content:"aa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006345; classtype:web-application-attack; sid:2006345; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; content:"/lire-avis.php?"; http_uri; nocase; content:"aa="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006346; classtype:web-application-attack; sid:2006346; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006347; classtype:web-application-attack; sid:2006347; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006348; classtype:web-application-attack; sid:2006348; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006349; classtype:web-application-attack; sid:2006349; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006350; classtype:web-application-attack; sid:2006350; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006351; classtype:web-application-attack; sid:2006351; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006352; classtype:web-application-attack; sid:2006352; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; content:"/lire-avis.php?"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; uricontent:"/lire-avis.php?"; nocase; uricontent:"aa="; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006354; classtype:web-application-attack; sid:2006354; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; uricontent:"/lire-avis.php?"; nocase; uricontent:"aa="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006355; classtype:web-application-attack; sid:2006355; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; uricontent:"/lire-avis.php?"; nocase; uricontent:"aa="; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006356; classtype:web-application-attack; sid:2006356; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent|3a| TEST|0d 0a|"; http_header; content:!"Host|3a 20|messagecenter.comodo.com"; content:!"symantec.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:trojan-activity; sid:2006357; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; content:"User-Agent|3a| IBSBand-"; http_header; reference:url,doc.emergingthreats.net/2006362; classtype:trojan-activity; sid:2006362; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer-967 User-Agent"; flow:to_server,established; content:"User-Agent|3a| del|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2006364; classtype:trojan-activity; sid:2006364; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MYURL)"; flow:to_server,established; content:"User-Agent|3a| MYURL|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bot Backdoor Checkin/registration Request"; flow:established,to_server; content:"/remote.php?"; http_uri; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&version="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2006366; classtype:trojan-activity; sid:2006366; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; content:"User-Agent|3a| atsu|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006370; classtype:trojan-activity; sid:2006370; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; content:"User-Agent|3a| BearShare "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; classtype:trojan-activity; sid:2006371; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; content:"User-Agent|3a| Bittorrent"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; classtype:trojan-activity; sid:2006372; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client HTTP Request "; flow:to_server,established; content:"/trackerphp/announce.php?"; nocase; http_uri; content:"?port="; nocase; http_uri; content:"&peer_id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; classtype:trojan-activity; sid:2006375; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:trojan-activity; sid:2006377; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request "; flow:to_server,established; content:"/gnutella/"; nocase; http_uri; content:"?client=BEAR"; nocase; http_uri; content:"&version="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; classtype:trojan-activity; sid:2006379; rev:6;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; content:"AskPBar"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskPBar/Hi"; reference:url,doc.emergingthreats.net/2006381; classtype:trojan-activity; sid:2006381; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Matcash or related downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| x"; http_header; pcre:"/^User-Agent\: x\w\wx\w\w\!x\w\wx\w\wx\w\w/Hm"; reference:url,doc.emergingthreats.net/2006382; classtype:trojan-activity; sid:2006382; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:trojan-activity; sid:2006386; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; content:"User-Agent|3a| Windows Updates Manager|7c|"; http_header; reference:url,doc.emergingthreats.net/2006387; classtype:trojan-activity; sid:2006387; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (006)"; flow:established,to_server; content:"User-Agent|3a| 00"; http_header; pcre:"/User-Agent\: 00\d+\x0d\x0a/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:trojan-activity; sid:2006388; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poebot Related User Agent (SPM_ID=)"; flow:established,to_server; content:"User-Agent|3a| SPM_ID="; http_header; nocase; reference:url,doc.emergingthreats.net/2006391; classtype:trojan-activity; sid:2006391; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; content:"User-Agent|3a| WTRecover"; http_header; reference:url,doc.emergingthreats.net/2006392; classtype:trojan-activity; sid:2006392; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; content:"User-Agent|3a| WTInstaller"; http_header; reference:url,doc.emergingthreats.net/2006393; classtype:trojan-activity; sid:2006393; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent Detected (ld)"; flow:established,to_server; content:"User-Agent|3a| ld|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006394; classtype:trojan-activity; sid:2006394; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Socks666 Connection Initial Packet"; flow:established,to_server; dsize:24; content:"|9a 02 06 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006395; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Socks666 Connect Command Packet"; flowbits:isset,BS.BPcheckin; flow:established,from_server; dsize:10; content:"|9a 02 07 00|"; offset:0; depth:4; flowbits:set,BS.BPset; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006396; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Socks666 Successful Connect Packet Packet"; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:"|9a 02 08 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session,300,seconds; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006397; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Socks666 Checkin Packet"; flow:established,to_server; dsize:30; content:"|9a 02 01 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin1; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006398; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Socks666 Checkin Success Packet"; flowbits:isset,BS.BPcheckin1; flow:established,from_server; dsize:4; content:"|9a 02 05 00|"; offset:0; depth:4; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006399; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"lunch_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/2006401; classtype:trojan-activity; sid:2006401; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:trojan-activity; sid:2006403; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:trojan-activity; sid:2006404; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:trojan-activity; sid:2006405; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; content:"User-Agent|3a| pint_agency"; http_header; reference:url,doc.emergingthreats.net/2006413; classtype:trojan-activity; sid:2006413; rev:7;) alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; classtype:policy-violation; sid:2006417; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; content:"User-Agent|3a| Museon"; http_header; reference:url,doc.emergingthreats.net/2006418; classtype:trojan-activity; sid:2006418; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; content:"User-Agent|3a| anycleaner"; http_header; reference:url,doc.emergingthreats.net/2006419; classtype:trojan-activity; sid:2006419; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; http_header; reference:url,doc.emergingthreats.net/2006420; classtype:trojan-activity; sid:2006420; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; content:"User-Agent|3a| DoctorVaccine"; http_header; reference:url,doc.emergingthreats.net/2006421; classtype:trojan-activity; sid:2006421; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; content:"User-Agent|3a| WT_GET_COMM"; http_header; reference:url,doc.emergingthreats.net/2006422; classtype:trojan-activity; sid:2006422; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; content:"User-Agent|3a| doctorpro"; http_header; reference:url,doc.emergingthreats.net/2006423; classtype:trojan-activity; sid:2006423; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:trojan-activity; sid:2006427; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:trojan-activity; sid:2006428; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:trojan-activity; sid:2006429; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; content:"User-Agent|3a| Access down|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006430; classtype:trojan-activity; sid:2006430; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:trojan-activity; sid:2006431; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:trojan-activity; sid:2006432; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:trojan-activity; sid:2006433; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (Winlogon)"; flow:established,to_server; content:"User-Agent|3a| Winlogon"; http_header; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; classtype:web-application-attack; sid:2006443; rev:10;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; classtype:web-application-attack; sid:2006444; rev:10;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT\b.*FROM/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:11;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; distance:0; http_uri; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; classtype:web-application-attack; sid:2006447; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.ajx Trojan Reporting to Server"; flow:established,to_server; content:"/count.php?fid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; content:"&wc="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006448; classtype:trojan-activity; sid:2006448; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006449; classtype:web-application-attack; sid:2006449; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006450; classtype:web-application-attack; sid:2006450; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006451; classtype:web-application-attack; sid:2006451; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006452; classtype:web-application-attack; sid:2006452; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006453; classtype:web-application-attack; sid:2006453; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE"; flow:established,to_server; content:"/mod_banners.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006454; classtype:web-application-attack; sid:2006454; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page SELECT"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006455; classtype:web-application-attack; sid:2006455; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UNION SELECT"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006456; classtype:web-application-attack; sid:2006456; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page INSERT"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006457; classtype:web-application-attack; sid:2006457; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page DELETE"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006458; classtype:web-application-attack; sid:2006458; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page ASCII"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006459; classtype:web-application-attack; sid:2006459; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE"; flow:established,to_server; content:"/content.php?"; http_uri; nocase; content:"page="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006460; classtype:web-application-attack; sid:2006460; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006461; classtype:web-application-attack; sid:2006461; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UNION SELECT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006462; classtype:web-application-attack; sid:2006462; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006463; classtype:web-application-attack; sid:2006463; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm DELETE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006464; classtype:web-application-attack; sid:2006464; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm ASCII"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006465; classtype:web-application-attack; sid:2006465; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006466; classtype:web-application-attack; sid:2006466; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode SELECT"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006467; classtype:web-application-attack; sid:2006467; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UNION SELECT"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006468; classtype:web-application-attack; sid:2006468; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode INSERT"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006469; classtype:web-application-attack; sid:2006469; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode DELETE"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006470; classtype:web-application-attack; sid:2006470; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ASCII"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006471; classtype:web-application-attack; sid:2006471; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE"; flow:established,to_server; content:"/forum/include/error/autherror.cfm?"; nocase; http_uri; content:"errorcode="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006472; classtype:web-application-attack; sid:2006472; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006473; classtype:web-application-attack; sid:2006473; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006474; classtype:web-application-attack; sid:2006474; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006475; classtype:web-application-attack; sid:2006475; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006476; classtype:web-application-attack; sid:2006476; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006477; classtype:web-application-attack; sid:2006477; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE"; flow:established,to_server; content:"/categoria.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006478; classtype:web-application-attack; sid:2006478; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php SELECT"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006479; classtype:web-application-attack; sid:2006479; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UNION SELECT"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006480; classtype:web-application-attack; sid:2006480; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php INSERT"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006481; classtype:web-application-attack; sid:2006481; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php DELETE"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006482; classtype:web-application-attack; sid:2006482; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php ASCII"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006484; classtype:web-application-attack; sid:2006484; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE"; flow:established,to_server; uricontent:"/game_listing.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006485; classtype:web-application-attack; sid:2006485; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006486; classtype:web-application-attack; sid:2006486; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UNION SELECT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006487; classtype:web-application-attack; sid:2006487; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id INSERT"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006488; classtype:web-application-attack; sid:2006488; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id DELETE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006489; classtype:web-application-attack; sid:2006489; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id ASCII"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006490; classtype:web-application-attack; sid:2006490; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE"; flow:established,to_server; uricontent:"/print.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006491; classtype:web-application-attack; sid:2006491; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006492; classtype:web-application-attack; sid:2006492; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006493; classtype:web-application-attack; sid:2006493; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006494; classtype:web-application-attack; sid:2006494; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006495; classtype:web-application-attack; sid:2006495; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006496; classtype:web-application-attack; sid:2006496; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"login_username="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006497; classtype:web-application-attack; sid:2006497; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006498; classtype:web-application-attack; sid:2006498; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006499; classtype:web-application-attack; sid:2006499; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006500; classtype:web-application-attack; sid:2006500; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006501; classtype:web-application-attack; sid:2006501; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006502; classtype:web-application-attack; sid:2006502; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE"; flow:established,to_server; content:"/news.php?"; nocase; http_uri; content:"item="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006503; classtype:web-application-attack; sid:2006503; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct SELECT"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006504; classtype:web-application-attack; sid:2006504; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UNION SELECT"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006505; classtype:web-application-attack; sid:2006505; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct INSERT"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006506; classtype:web-application-attack; sid:2006506; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct DELETE"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006507; classtype:web-application-attack; sid:2006507; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ASCII"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006508; classtype:web-application-attack; sid:2006508; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE"; flow:established,to_server; content:"/comersus_optReviewReadExec.asp?"; nocase; http_uri; content:"idProduct="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006509; classtype:web-application-attack; sid:2006509; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006510; classtype:web-application-attack; sid:2006510; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006511; classtype:web-application-attack; sid:2006511; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006512; classtype:web-application-attack; sid:2006512; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006513; classtype:web-application-attack; sid:2006513; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006514; classtype:web-application-attack; sid:2006514; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_Type_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006515; classtype:web-application-attack; sid:2006515; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006516; classtype:web-application-attack; sid:2006516; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006517; classtype:web-application-attack; sid:2006517; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006518; classtype:web-application-attack; sid:2006518; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006519; classtype:web-application-attack; sid:2006519; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006520; classtype:web-application-attack; sid:2006520; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Outgoing_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006521; classtype:web-application-attack; sid:2006521; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006522; classtype:web-application-attack; sid:2006522; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006523; classtype:web-application-attack; sid:2006523; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006524; classtype:web-application-attack; sid:2006524; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006525; classtype:web-application-attack; sid:2006525; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006526; classtype:web-application-attack; sid:2006526; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Project_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006527; classtype:web-application-attack; sid:2006527; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006528; classtype:web-application-attack; sid:2006528; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006529; classtype:web-application-attack; sid:2006529; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006530; classtype:web-application-attack; sid:2006530; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006531; classtype:web-application-attack; sid:2006531; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006532; classtype:web-application-attack; sid:2006532; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Client_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006533; classtype:web-application-attack; sid:2006533; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006534; classtype:web-application-attack; sid:2006534; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006535; classtype:web-application-attack; sid:2006535; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006536; classtype:web-application-attack; sid:2006536; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006537; classtype:web-application-attack; sid:2006537; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006538; classtype:web-application-attack; sid:2006538; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Invoice_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006539; classtype:web-application-attack; sid:2006539; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006540; classtype:web-application-attack; sid:2006540; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006541; classtype:web-application-attack; sid:2006541; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006542; classtype:web-application-attack; sid:2006542; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006543; classtype:web-application-attack; sid:2006543; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006544; classtype:web-application-attack; sid:2006544; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"Vendor_ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006545; classtype:web-application-attack; sid:2006545; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id SELECT"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006547; classtype:web-application-attack; sid:2006547; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UNION SELECT"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006548; classtype:web-application-attack; sid:2006548; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id INSERT"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006549; classtype:web-application-attack; sid:2006549; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id DELETE"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006550; classtype:web-application-attack; sid:2006550; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ASCII"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006551; classtype:web-application-attack; sid:2006551; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE"; flow:established,to_server; content:"/ViewCat.php?"; nocase; http_uri; content:"s_user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006552; classtype:web-application-attack; sid:2006552; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; content:"User-Agent|3a| CPUSH_"; http_header; reference:url,doc.emergingthreats.net/2006553; classtype:trojan-activity; sid:2006553; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId SELECT"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006554; classtype:web-application-attack; sid:2006554; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UNION SELECT"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006555; classtype:web-application-attack; sid:2006555; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId INSERT"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006556; classtype:web-application-attack; sid:2006556; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId DELETE"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006557; classtype:web-application-attack; sid:2006557; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId ASCII"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006558; classtype:web-application-attack; sid:2006558; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE"; flow:established,to_server; content:"/sptrees/default.aspx?"; nocase; http_uri; content:"docId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006559; classtype:web-application-attack; sid:2006559; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006560; classtype:web-application-attack; sid:2006560; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006561; classtype:web-application-attack; sid:2006561; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri;content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; classtype:web-application-attack; sid:2006562; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006564; classtype:web-application-attack; sid:2006564; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006565; classtype:web-application-attack; sid:2006565; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; content:"/email.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006566; classtype:web-application-attack; sid:2006566; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no SELECT"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006567; classtype:web-application-attack; sid:2006567; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UNION SELECT"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006568; classtype:web-application-attack; sid:2006568; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no INSERT"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006569; classtype:web-application-attack; sid:2006569; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no DELETE"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006570; classtype:web-application-attack; sid:2006570; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ASCII"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006571; classtype:web-application-attack; sid:2006571; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE"; flow:established,to_server; content:"/voirannonce.php?"; nocase; http_uri; content:"no="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006572; classtype:web-application-attack; sid:2006572; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre SELECT"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006573; classtype:web-application-attack; sid:2006573; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UNION SELECT"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006574; classtype:web-application-attack; sid:2006574; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre INSERT"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006575; classtype:web-application-attack; sid:2006575; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre DELETE"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006576; classtype:web-application-attack; sid:2006576; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ASCII"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006577; classtype:web-application-attack; sid:2006577; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE"; flow:established,to_server; content:"/admin/admin_membre/fiche_membre.php?"; nocase; http_uri; content:"idmembre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006578; classtype:web-application-attack; sid:2006578; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce SELECT"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006579; classtype:web-application-attack; sid:2006579; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UNION SELECT"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006580; classtype:web-application-attack; sid:2006580; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce INSERT"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006581; classtype:web-application-attack; sid:2006581; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce DELETE"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006582; classtype:web-application-attack; sid:2006582; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ASCII"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006583; classtype:web-application-attack; sid:2006583; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE"; flow:established,to_server; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006584; classtype:web-application-attack; sid:2006584; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce SELECT"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006585; classtype:web-application-attack; sid:2006585; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UNION SELECT"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006586; classtype:web-application-attack; sid:2006586; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce INSERT"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006587; classtype:web-application-attack; sid:2006587; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce DELETE"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006588; classtype:web-application-attack; sid:2006588; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ASCII"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006589; classtype:web-application-attack; sid:2006589; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE"; flow:established,to_server; content:"/admin/admin_annonce/changeannonce.php?"; nocase; http_uri; content:"idannonce="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006590; classtype:web-application-attack; sid:2006590; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006591; classtype:web-application-attack; sid:2006591; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UNION SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006592; classtype:web-application-attack; sid:2006592; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid INSERT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006593; classtype:web-application-attack; sid:2006593; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid DELETE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006594; classtype:web-application-attack; sid:2006594; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ASCII"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006595; classtype:web-application-attack; sid:2006595; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"agentid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006596; classtype:web-application-attack; sid:2006596; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006597; classtype:web-application-attack; sid:2006597; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UNION SELECT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006598; classtype:web-application-attack; sid:2006598; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass INSERT"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006599; classtype:web-application-attack; sid:2006599; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass DELETE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006600; classtype:web-application-attack; sid:2006600; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ASCII"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006601; classtype:web-application-attack; sid:2006601; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE"; flow:established,to_server; uricontent:"/dagent/downloadreport.asp?"; nocase; uricontent:"pass="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006602; classtype:web-application-attack; sid:2006602; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user SELECT"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006603; classtype:web-application-attack; sid:2006603; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UNION SELECT"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006604; classtype:web-application-attack; sid:2006604; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user INSERT"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006605; classtype:web-application-attack; sid:2006605; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user DELETE"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006606; classtype:web-application-attack; sid:2006606; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ASCII"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006607; classtype:web-application-attack; sid:2006607; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE"; flow:established,to_server; uricontent:"/vf_memberdetail.asp?"; nocase; uricontent:"user="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006608; classtype:web-application-attack; sid:2006608; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; fast_pattern:only; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; fast_pattern:only; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; fast_pattern:only; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"DELETE"; fast_pattern:only; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; content:"D="; http_uri; content:"ASCII("; fast_pattern:only; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006613; classtype:web-application-attack; sid:2006613; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server;uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"UPDATE"; fast_pattern:only; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006615; classtype:web-application-attack; sid:2006615; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UNION SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006616; classtype:web-application-attack; sid:2006616; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc INSERT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006617; classtype:web-application-attack; sid:2006617; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc DELETE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006618; classtype:web-application-attack; sid:2006618; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc ASCII"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006619; classtype:web-application-attack; sid:2006619; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_doc="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006620; classtype:web-application-attack; sid:2006620; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006621; classtype:web-application-attack; sid:2006621; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UNION SELECT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006622; classtype:web-application-attack; sid:2006622; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut INSERT"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006623; classtype:web-application-attack; sid:2006623; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut DELETE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006624; classtype:web-application-attack; sid:2006624; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut ASCII"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006625; classtype:web-application-attack; sid:2006625; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE"; flow:established,to_server; uricontent:"/dettaglio.asp?"; nocase; uricontent:"id_aut="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006626; classtype:web-application-attack; sid:2006626; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006627; classtype:web-application-attack; sid:2006627; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006628; classtype:web-application-attack; sid:2006628; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006629; classtype:web-application-attack; sid:2006629; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006630; classtype:web-application-attack; sid:2006630; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006631; classtype:web-application-attack; sid:2006631; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE"; flow:established,to_server; content:"/mystats.php?"; nocase; http_uri; content:"details="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006632; classtype:web-application-attack; sid:2006632; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp SELECT"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006633; classtype:web-application-attack; sid:2006633; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UNION SELECT"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006634; classtype:web-application-attack; sid:2006634; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp INSERT"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006635; classtype:web-application-attack; sid:2006635; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp DELETE"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006636; classtype:web-application-attack; sid:2006636; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp ASCII"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006637; classtype:web-application-attack; sid:2006637; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE"; flow:established,to_server; uricontent:"/sendarticle.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006638; classtype:web-application-attack; sid:2006638; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp SELECT"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006639; classtype:web-application-attack; sid:2006639; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UNION SELECT"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006640; classtype:web-application-attack; sid:2006640; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp INSERT"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006641; classtype:web-application-attack; sid:2006641; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp DELETE"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006642; classtype:web-application-attack; sid:2006642; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp ASCII"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006643; classtype:web-application-attack; sid:2006643; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE"; flow:established,to_server; uricontent:"/printarticle.asp?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006644; classtype:web-application-attack; sid:2006644; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006645; classtype:web-application-attack; sid:2006645; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006646; classtype:web-application-attack; sid:2006646; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006647; classtype:web-application-attack; sid:2006647; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006648; classtype:web-application-attack; sid:2006648; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006649; classtype:web-application-attack; sid:2006649; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006650; classtype:web-application-attack; sid:2006650; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID SELECT"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006651; classtype:web-application-attack; sid:2006651; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UNION SELECT"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006652; classtype:web-application-attack; sid:2006652; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID INSERT"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006653; classtype:web-application-attack; sid:2006653; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID DELETE"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006654; classtype:web-application-attack; sid:2006654; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ASCII"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006655; classtype:web-application-attack; sid:2006655; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE"; flow:established,to_server; uricontent:"/preferences.asp?"; nocase; uricontent:"ID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006656; classtype:web-application-attack; sid:2006656; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006657; classtype:web-application-attack; sid:2006657; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006658; classtype:web-application-attack; sid:2006658; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006659; classtype:web-application-attack; sid:2006659; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006660; classtype:web-application-attack; sid:2006660; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006661; classtype:web-application-attack; sid:2006661; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006663; classtype:web-application-attack; sid:2006663; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006664; classtype:web-application-attack; sid:2006664; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006665; classtype:web-application-attack; sid:2006665; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006666; classtype:web-application-attack; sid:2006666; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006667; classtype:web-application-attack; sid:2006667; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE"; flow:established,to_server; content:"/prikazInformacije.php?"; nocase; http_uri; content:"IDStranicaPodaci="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006668; classtype:web-application-attack; sid:2006668; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img SELECT"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006669; classtype:web-application-attack; sid:2006669; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UNION SELECT"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006670; classtype:web-application-attack; sid:2006670; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img INSERT"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006671; classtype:web-application-attack; sid:2006671; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img DELETE"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006672; classtype:web-application-attack; sid:2006672; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img ASCII"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006673; classtype:web-application-attack; sid:2006673; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE"; flow:established,to_server; content:"/forum/modules/gallery/post.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006674; classtype:web-application-attack; sid:2006674; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006675; classtype:web-application-attack; sid:2006675; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006676; classtype:web-application-attack; sid:2006676; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006677; classtype:web-application-attack; sid:2006677; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006678; classtype:web-application-attack; sid:2006678; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006679; classtype:web-application-attack; sid:2006679; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006680; classtype:web-application-attack; sid:2006680; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid SELECT"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006681; classtype:web-application-attack; sid:2006681; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UNION SELECT"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006682; classtype:web-application-attack; sid:2006682; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid INSERT"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006683; classtype:web-application-attack; sid:2006683; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid DELETE"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006684; classtype:web-application-attack; sid:2006684; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ASCII"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006685; classtype:web-application-attack; sid:2006685; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE"; flow:established,to_server; content:"/lib/entry_reply_entry.php?"; nocase; http_uri; content:"eid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006686; classtype:web-application-attack; sid:2006686; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006687; classtype:web-application-attack; sid:2006687; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006688; classtype:web-application-attack; sid:2006688; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006689; classtype:web-application-attack; sid:2006689; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006690; classtype:web-application-attack; sid:2006690; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006691; classtype:web-application-attack; sid:2006691; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iFile="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006692; classtype:web-application-attack; sid:2006692; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006694; classtype:web-application-attack; sid:2006694; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006695; classtype:web-application-attack; sid:2006695; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006696; classtype:web-application-attack; sid:2006696; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006697; classtype:web-application-attack; sid:2006697; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006698; classtype:web-application-attack; sid:2006698; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006699; classtype:web-application-attack; sid:2006699; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006700; classtype:web-application-attack; sid:2006700; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006701; classtype:web-application-attack; sid:2006701; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006702; classtype:web-application-attack; sid:2006702; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006703; classtype:web-application-attack; sid:2006703; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006704; classtype:web-application-attack; sid:2006704; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006705; classtype:web-application-attack; sid:2006705; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006706; classtype:web-application-attack; sid:2006706; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006707; classtype:web-application-attack; sid:2006707; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006708; classtype:web-application-attack; sid:2006708; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006709; classtype:web-application-attack; sid:2006709; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006710; classtype:web-application-attack; sid:2006710; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"iCity="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006711; classtype:web-application-attack; sid:2006711; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006712; classtype:web-application-attack; sid:2006712; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006713; classtype:web-application-attack; sid:2006713; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006714; classtype:web-application-attack; sid:2006714; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006715; classtype:web-application-attack; sid:2006715; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006716; classtype:web-application-attack; sid:2006716; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iNews="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006717; classtype:web-application-attack; sid:2006717; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006730; classtype:web-application-attack; sid:2006730; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UNION SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006731; classtype:web-application-attack; sid:2006731; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main INSERT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006732; classtype:web-application-attack; sid:2006732; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main DELETE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006733; classtype:web-application-attack; sid:2006733; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ASCII"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006734; classtype:web-application-attack; sid:2006734; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"main="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006735; classtype:web-application-attack; sid:2006735; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006736; classtype:web-application-attack; sid:2006736; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006737; classtype:web-application-attack; sid:2006737; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006738; classtype:web-application-attack; sid:2006738; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006739; classtype:web-application-attack; sid:2006739; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006740; classtype:web-application-attack; sid:2006740; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE"; flow:established,to_server; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006741; classtype:web-application-attack; sid:2006741; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006742; classtype:web-application-attack; sid:2006742; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006743; classtype:web-application-attack; sid:2006743; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006744; classtype:web-application-attack; sid:2006744; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006745; classtype:web-application-attack; sid:2006745; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006746; classtype:web-application-attack; sid:2006746; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE"; flow:established,to_server; content:"/pfs/pfs.edit.inc.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006747; classtype:web-application-attack; sid:2006747; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006748; classtype:web-application-attack; sid:2006748; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006749; classtype:web-application-attack; sid:2006749; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php INSERT"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006750; classtype:web-application-attack; sid:2006750; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006751; classtype:web-application-attack; sid:2006751; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006752; classtype:web-application-attack; sid:2006752; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE"; flow:established,to_server; content:"/system/core/users/users.register.inc.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006753; classtype:web-application-attack; sid:2006753; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006754; classtype:web-application-attack; sid:2006754; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006756; classtype:web-application-attack; sid:2006756; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006757; classtype:web-application-attack; sid:2006757; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006758; classtype:web-application-attack; sid:2006758; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006759; classtype:web-application-attack; sid:2006759; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006760; classtype:web-application-attack; sid:2006760; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006761; classtype:web-application-attack; sid:2006761; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006762; classtype:web-application-attack; sid:2006762; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006763; classtype:web-application-attack; sid:2006763; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006764; classtype:web-application-attack; sid:2006764; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"category="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006765; classtype:web-application-attack; sid:2006765; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006766; classtype:web-application-attack; sid:2006766; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006767; classtype:web-application-attack; sid:2006767; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006768; classtype:web-application-attack; sid:2006768; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006769; classtype:web-application-attack; sid:2006769; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006770; classtype:web-application-attack; sid:2006770; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE"; flow:established,to_server; content:"/search_listing.asp?"; nocase; http_uri; content:"agent="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006771; classtype:web-application-attack; sid:2006771; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006772; classtype:web-application-attack; sid:2006772; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006773; classtype:web-application-attack; sid:2006773; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006774; classtype:web-application-attack; sid:2006774; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006775; classtype:web-application-attack; sid:2006775; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006776; classtype:web-application-attack; sid:2006776; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"property_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006777; classtype:web-application-attack; sid:2006777; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; content:"User-Agent|3a| blahrx"; http_header; reference:url,doc.emergingthreats.net/2006778; classtype:trojan-activity; sid:2006778; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; content:"User-Agent|3a| ZC-Bridgev"; http_header; reference:url,doc.emergingthreats.net/2006780; classtype:trojan-activity; sid:2006780; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; content:"User-Agent|3a| ZC XML-RPC"; http_header; reference:url,doc.emergingthreats.net/2006781; classtype:trojan-activity; sid:2006781; rev:37;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; content:"User-Agent|3a| szNotifyIdent"; http_header; reference:url,doc.emergingthreats.net/2006782; classtype:trojan-activity; sid:2006782; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006783; classtype:web-application-attack; sid:2006783; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UNION SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006784; classtype:web-application-attack; sid:2006784; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici INSERT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006785; classtype:web-application-attack; sid:2006785; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici DELETE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006786; classtype:web-application-attack; sid:2006786; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ASCII"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006787; classtype:web-application-attack; sid:2006787; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullanici="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006788; classtype:web-application-attack; sid:2006788; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006789; classtype:web-application-attack; sid:2006789; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UNION SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006790; classtype:web-application-attack; sid:2006790; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola INSERT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006791; classtype:web-application-attack; sid:2006791; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola DELETE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006792; classtype:web-application-attack; sid:2006792; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ASCII"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006793; classtype:web-application-attack; sid:2006793; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"parola="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006794; classtype:web-application-attack; sid:2006794; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006795; classtype:web-application-attack; sid:2006795; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UNION SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006796; classtype:web-application-attack; sid:2006796; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi INSERT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006797; classtype:web-application-attack; sid:2006797; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi DELETE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006798; classtype:web-application-attack; sid:2006798; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ASCII"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006799; classtype:web-application-attack; sid:2006799; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"kullanici_ismi="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006800; classtype:web-application-attack; sid:2006800; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006801; classtype:web-application-attack; sid:2006801; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UNION SELECT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006802; classtype:web-application-attack; sid:2006802; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre INSERT"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006803; classtype:web-application-attack; sid:2006803; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre DELETE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006804; classtype:web-application-attack; sid:2006804; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ASCII"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006805; classtype:web-application-attack; sid:2006805; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006806; classtype:web-application-attack; sid:2006806; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid SELECT"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006807; classtype:web-application-attack; sid:2006807; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UNION SELECT"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006808; classtype:web-application-attack; sid:2006808; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid INSERT"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006809; classtype:web-application-attack; sid:2006809; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid DELETE"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006810; classtype:web-application-attack; sid:2006810; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ASCII"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006811; classtype:web-application-attack; sid:2006811; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE"; flow:established,to_server; uricontent:"/viewthread.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006812; classtype:web-application-attack; sid:2006812; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex SELECT"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006813; classtype:web-application-attack; sid:2006813; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UNION SELECT"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006814; classtype:web-application-attack; sid:2006814; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex INSERT"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006815; classtype:web-application-attack; sid:2006815; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex DELETE"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006816; classtype:web-application-attack; sid:2006816; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex ASCII"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006817; classtype:web-application-attack; sid:2006817; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE"; flow:established,to_server; content:"/articles.asp?"; nocase; http_uri; content:"ex="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006818; classtype:web-application-attack; sid:2006818; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid SELECT"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006819; classtype:web-application-attack; sid:2006819; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UNION SELECT"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006820; classtype:web-application-attack; sid:2006820; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid INSERT"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006821; classtype:web-application-attack; sid:2006821; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid DELETE"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006822; classtype:web-application-attack; sid:2006822; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid ASCII"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006823; classtype:web-application-attack; sid:2006823; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE"; flow:established,to_server; content:"/forum2.asp?"; nocase; http_uri; content:"soruid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006824; classtype:web-application-attack; sid:2006824; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006825; classtype:web-application-attack; sid:2006825; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UNION SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006826; classtype:web-application-attack; sid:2006826; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak INSERT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006827; classtype:web-application-attack; sid:2006827; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak DELETE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006828; classtype:web-application-attack; sid:2006828; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; classtype:web-application-attack; sid:2006829; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"ak="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006830; classtype:web-application-attack; sid:2006830; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler SELECT"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006831; classtype:web-application-attack; sid:2006831; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UNION SELECT"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006832; classtype:web-application-attack; sid:2006832; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler INSERT"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006833; classtype:web-application-attack; sid:2006833; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; classtype:web-application-attack; sid:2006834; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ASCII"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006835; classtype:web-application-attack; sid:2006835; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE"; flow:established,to_server; content:"/aramayap.asp?"; nocase; http_uri; content:"kelimeler="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006836; classtype:web-application-attack; sid:2006836; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006837; classtype:web-application-attack; sid:2006837; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UNION SELECT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006838; classtype:web-application-attack; sid:2006838; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi INSERT"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006839; classtype:web-application-attack; sid:2006839; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi DELETE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006840; classtype:web-application-attack; sid:2006840; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ASCII"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006841; classtype:web-application-attack; sid:2006841; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE"; flow:established,to_server; content:"/giris.asp?"; nocase; http_uri; content:"kullaniciadi="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006842; classtype:web-application-attack; sid:2006842; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno SELECT"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006843; classtype:web-application-attack; sid:2006843; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UNION SELECT"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006844; classtype:web-application-attack; sid:2006844; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno INSERT"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006845; classtype:web-application-attack; sid:2006845; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; classtype:web-application-attack; sid:2006846; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ASCII"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006847; classtype:web-application-attack; sid:2006847; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE"; flow:established,to_server; content:"/mesajkutum.asp?"; nocase; http_uri; content:"mesajno="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006848; classtype:web-application-attack; sid:2006848; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006849; classtype:web-application-attack; sid:2006849; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UNION SELECT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006850; classtype:web-application-attack; sid:2006850; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf INSERT"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006851; classtype:web-application-attack; sid:2006851; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf DELETE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006852; classtype:web-application-attack; sid:2006852; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ASCII"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006853; classtype:web-application-attack; sid:2006853; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE"; flow:established,to_server; content:"/kullanicilistesi.asp?"; nocase; http_uri; content:"harf="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006854; classtype:web-application-attack; sid:2006854; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006855; classtype:web-application-attack; sid:2006855; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UNION SELECT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006856; classtype:web-application-attack; sid:2006856; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik INSERT"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006857; classtype:web-application-attack; sid:2006857; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik DELETE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006858; classtype:web-application-attack; sid:2006858; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik ASCII"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006859; classtype:web-application-attack; sid:2006859; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE"; flow:established,to_server; content:"/forum.asp?"; nocase; http_uri; content:"baslik="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006860; classtype:web-application-attack; sid:2006860; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id SELECT"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006862; classtype:web-application-attack; sid:2006862; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UNION SELECT"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006863; classtype:web-application-attack; sid:2006863; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id INSERT"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006864; classtype:web-application-attack; sid:2006864; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id DELETE"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006865; classtype:web-application-attack; sid:2006865; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ASCII"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006866; classtype:web-application-attack; sid:2006866; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE"; flow:established,to_server; content:"/rating.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006867; classtype:web-application-attack; sid:2006867; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid SELECT"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006868; classtype:web-application-attack; sid:2006868; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UNION SELECT"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006869; classtype:web-application-attack; sid:2006869; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid INSERT"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006870; classtype:web-application-attack; sid:2006870; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid DELETE"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006871; classtype:web-application-attack; sid:2006871; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ASCII"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006872; classtype:web-application-attack; sid:2006872; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE"; flow:established,to_server; content:"/meal_rest.asp?"; nocase; http_uri; content:"mealid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006873; classtype:web-application-attack; sid:2006873; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid SELECT"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006874; classtype:web-application-attack; sid:2006874; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UNION SELECT"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006875; classtype:web-application-attack; sid:2006875; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid INSERT"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006876; classtype:web-application-attack; sid:2006876; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid DELETE"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006877; classtype:web-application-attack; sid:2006877; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ASCII"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006878; classtype:web-application-attack; sid:2006878; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE"; flow:established,to_server; content:"/res_details.asp?"; nocase; http_uri; content:"resid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006879; classtype:web-application-attack; sid:2006879; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006880; classtype:web-application-attack; sid:2006880; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006881; classtype:web-application-attack; sid:2006881; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006882; classtype:web-application-attack; sid:2006882; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006883; classtype:web-application-attack; sid:2006883; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006884; classtype:web-application-attack; sid:2006884; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006885; classtype:web-application-attack; sid:2006885; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci SELECT"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006886; classtype:web-application-attack; sid:2006886; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UNION SELECT"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006887; classtype:web-application-attack; sid:2006887; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci INSERT"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006888; classtype:web-application-attack; sid:2006888; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci DELETE"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006889; classtype:web-application-attack; sid:2006889; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ASCII"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006890; classtype:web-application-attack; sid:2006890; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE"; flow:established,to_server; uricontent:"/slideshow.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006891; classtype:web-application-attack; sid:2006891; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci SELECT"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006892; classtype:web-application-attack; sid:2006892; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UNION SELECT"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006893; classtype:web-application-attack; sid:2006893; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci INSERT"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006894; classtype:web-application-attack; sid:2006894; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci DELETE"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006895; classtype:web-application-attack; sid:2006895; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ASCII"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006896; classtype:web-application-attack; sid:2006896; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE"; flow:established,to_server; uricontent:"/thumbnails.asp?"; nocase; uricontent:"ci="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006897; classtype:web-application-attack; sid:2006897; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006898; classtype:web-application-attack; sid:2006898; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006899; classtype:web-application-attack; sid:2006899; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006900; classtype:web-application-attack; sid:2006900; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006901; classtype:web-application-attack; sid:2006901; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006902; classtype:web-application-attack; sid:2006902; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006903; classtype:web-application-attack; sid:2006903; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006904; classtype:web-application-attack; sid:2006904; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006905; classtype:web-application-attack; sid:2006905; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006906; classtype:web-application-attack; sid:2006906; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006907; classtype:web-application-attack; sid:2006907; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006908; classtype:web-application-attack; sid:2006908; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"did="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006909; classtype:web-application-attack; sid:2006909; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response 2"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within: 32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; reference:url,doc.emergingthreats.net/2006911; classtype:trojan-activity; sid:2006911; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit SELECT"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006921; classtype:web-application-attack; sid:2006921; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UNION SELECT"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006922; classtype:web-application-attack; sid:2006922; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit INSERT"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006923; classtype:web-application-attack; sid:2006923; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit DELETE"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006924; classtype:web-application-attack; sid:2006924; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ASCII"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006925; classtype:web-application-attack; sid:2006925; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE"; flow:established,to_server; uricontent:"/thread.php?"; nocase; uricontent:"threadvisit="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006926; classtype:web-application-attack; sid:2006926; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006927; classtype:web-application-attack; sid:2006927; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UNION SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006928; classtype:web-application-attack; sid:2006928; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid INSERT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006929; classtype:web-application-attack; sid:2006929; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid DELETE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006930; classtype:web-application-attack; sid:2006930; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid ASCII"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"cid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006931; classtype:web-application-attack; sid:2006931; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE"; flow:established,to_server; content:"/modules.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006932; classtype:web-application-attack; sid:2006932; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid SELECT"; flow:established,to_server; content:"/modules.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006933; classtype:web-application-attack; sid:2006933; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UNION SELECT"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006934; classtype:web-application-attack; sid:2006934; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT"; flow:established,to_server; content:"/modules.php?"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006935; classtype:web-application-attack; sid:2006935; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid DELETE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006936; classtype:web-application-attack; sid:2006936; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid ASCII"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006937; classtype:web-application-attack; sid:2006937; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"pid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006938; classtype:web-application-attack; sid:2006938; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid SELECT"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006939; classtype:web-application-attack; sid:2006939; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UNION SELECT"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006940; classtype:web-application-attack; sid:2006940; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid INSERT"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006941; classtype:web-application-attack; sid:2006941; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid DELETE"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006942; classtype:web-application-attack; sid:2006942; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ASCII"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006943; classtype:web-application-attack; sid:2006943; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE"; flow:established,to_server; uricontent:"/recipe.php?"; nocase; uricontent:"recipeid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006944; classtype:web-application-attack; sid:2006944; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid SELECT"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006945; classtype:web-application-attack; sid:2006945; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UNION SELECT"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006946; classtype:web-application-attack; sid:2006946; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid INSERT"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006947; classtype:web-application-attack; sid:2006947; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid DELETE"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006948; classtype:web-application-attack; sid:2006948; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid ASCII"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006949; classtype:web-application-attack; sid:2006949; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE"; flow:established,to_server; uricontent:"/list.php?"; nocase; uricontent:"categoryid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006950; classtype:web-application-attack; sid:2006950; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006951; classtype:web-application-attack; sid:2006951; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006952; classtype:web-application-attack; sid:2006952; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006953; classtype:web-application-attack; sid:2006953; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006954; classtype:web-application-attack; sid:2006954; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006955; classtype:web-application-attack; sid:2006955; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"seite_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006956; classtype:web-application-attack; sid:2006956; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006957; classtype:web-application-attack; sid:2006957; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006958; classtype:web-application-attack; sid:2006958; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; fast_pattern; distance:0; nocase; content:"INSERT"; http_uri; distance:0; nocase; content:"INTO"; http_uri; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006960; classtype:web-application-attack; sid:2006960; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006961; classtype:web-application-attack; sid:2006961; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006962; classtype:web-application-attack; sid:2006962; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006963; classtype:web-application-attack; sid:2006963; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006964; classtype:web-application-attack; sid:2006964; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006965; classtype:web-application-attack; sid:2006965; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006966; classtype:web-application-attack; sid:2006966; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006967; classtype:web-application-attack; sid:2006967; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"go_target="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006968; classtype:web-application-attack; sid:2006968; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006969; classtype:web-application-attack; sid:2006969; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006970; classtype:web-application-attack; sid:2006970; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006971; classtype:web-application-attack; sid:2006971; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006972; classtype:web-application-attack; sid:2006972; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006973; classtype:web-application-attack; sid:2006973; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE"; flow:established,to_server; uricontent:"/admin_hacks_list.php?"; nocase; uricontent:"hack_id="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006974; classtype:web-application-attack; sid:2006974; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006975; classtype:web-application-attack; sid:2006975; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UNION SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006976; classtype:web-application-attack; sid:2006976; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login INSERT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006977; classtype:web-application-attack; sid:2006977; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login DELETE"; flow:established,to_server; content:"/process.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006978; classtype:web-application-attack; sid:2006978; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login ASCII"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006979; classtype:web-application-attack; sid:2006979; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"login="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006980; classtype:web-application-attack; sid:2006980; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006981; classtype:web-application-attack; sid:2006981; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UNION SELECT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006982; classtype:web-application-attack; sid:2006982; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password INSERT"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006983; classtype:web-application-attack; sid:2006983; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password DELETE"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006984; classtype:web-application-attack; sid:2006984; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password ASCII"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006985; classtype:web-application-attack; sid:2006985; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE"; flow:established,to_server; uricontent:"/process.php?"; nocase; uricontent:"password="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006986; classtype:web-application-attack; sid:2006986; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid SELECT"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006987; classtype:web-application-attack; sid:2006987; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006988; classtype:web-application-attack; sid:2006988; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid INSERT"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006989; classtype:web-application-attack; sid:2006989; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid DELETE"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006990; classtype:web-application-attack; sid:2006990; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ASCII"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006991; classtype:web-application-attack; sid:2006991; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE"; flow:established,to_server; uricontent:"/dlwallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006992; classtype:web-application-attack; sid:2006992; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid SELECT"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006993; classtype:web-application-attack; sid:2006993; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006994; classtype:web-application-attack; sid:2006994; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid INSERT"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006995; classtype:web-application-attack; sid:2006995; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid DELETE"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006996; classtype:web-application-attack; sid:2006996; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ASCII"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006997; classtype:web-application-attack; sid:2006997; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE"; flow:established,to_server; uricontent:"/wallpaper.php?"; nocase; uricontent:"wallpaperid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006998; classtype:web-application-attack; sid:2006998; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; content:"User-Agent|3a| Brontok"; http_header; nocase; reference:url,doc.emergingthreats.net/2006999; classtype:trojan-activity; sid:2006999; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID SELECT"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007000; classtype:web-application-attack; sid:2007000; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UNION SELECT"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007001; classtype:web-application-attack; sid:2007001; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID INSERT"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007002; classtype:web-application-attack; sid:2007002; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID DELETE"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007003; classtype:web-application-attack; sid:2007003; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID ASCII"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007004; classtype:web-application-attack; sid:2007004; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE"; flow:established,to_server; content:"/listpics.asp?"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007005; classtype:web-application-attack; sid:2007005; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant SELECT"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007006; classtype:web-application-attack; sid:2007006; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UNION SELECT"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007007; classtype:web-application-attack; sid:2007007; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant INSERT"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007008; classtype:web-application-attack; sid:2007008; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant DELETE"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007009; classtype:web-application-attack; sid:2007009; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ASCII"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007010; classtype:web-application-attack; sid:2007010; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE"; flow:established,to_server; content:"/item_show.asp?"; nocase; http_uri; content:"id2006quant="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007011; classtype:web-application-attack; sid:2007011; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007012; classtype:web-application-attack; sid:2007012; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UNION SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007013; classtype:web-application-attack; sid:2007013; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup INSERT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007014; classtype:web-application-attack; sid:2007014; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup DELETE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007015; classtype:web-application-attack; sid:2007015; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ASCII"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007016; classtype:web-application-attack; sid:2007016; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"maingroup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007017; classtype:web-application-attack; sid:2007017; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007018; classtype:web-application-attack; sid:2007018; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UNION SELECT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007019; classtype:web-application-attack; sid:2007019; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup INSERT"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007020; classtype:web-application-attack; sid:2007020; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup DELETE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007021; classtype:web-application-attack; sid:2007021; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ASCII"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007022; classtype:web-application-attack; sid:2007022; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE"; flow:established,to_server; content:"/item_list.asp?"; nocase; http_uri; content:"secondgroup="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007023; classtype:web-application-attack; sid:2007023; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007030; classtype:web-application-attack; sid:2007030; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007031; classtype:web-application-attack; sid:2007031; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007032; classtype:web-application-attack; sid:2007032; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007033; classtype:web-application-attack; sid:2007033; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007034; classtype:web-application-attack; sid:2007034; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007035; classtype:web-application-attack; sid:2007035; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007036; classtype:web-application-attack; sid:2007036; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007037; classtype:web-application-attack; sid:2007037; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007038; classtype:web-application-attack; sid:2007038; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007039; classtype:web-application-attack; sid:2007039; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007040; classtype:web-application-attack; sid:2007040; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007041; classtype:web-application-attack; sid:2007041; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007042; classtype:web-application-attack; sid:2007042; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007043; classtype:web-application-attack; sid:2007043; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007044; classtype:web-application-attack; sid:2007044; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007045; classtype:web-application-attack; sid:2007045; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007046; classtype:web-application-attack; sid:2007046; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007047; classtype:web-application-attack; sid:2007047; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id SELECT"; flow:established,to_server; uricontent:"/ad.asp?"; nocase; uricontent:"cat_id="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007048; classtype:web-application-attack; sid:2007048; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007049; classtype:web-application-attack; sid:2007049; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007050; classtype:web-application-attack; sid:2007050; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007051; classtype:web-application-attack; sid:2007051; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007052; classtype:web-application-attack; sid:2007052; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007053; classtype:web-application-attack; sid:2007053; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007054; classtype:web-application-attack; sid:2007054; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007055; classtype:web-application-attack; sid:2007055; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007056; classtype:web-application-attack; sid:2007056; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007057; classtype:web-application-attack; sid:2007057; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"sub_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007058; classtype:web-application-attack; sid:2007058; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UNION SELECT"; flow:established,to_server; uricontent:"/ad.asp?"; nocase; uricontent:"cat_id="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007059; classtype:web-application-attack; sid:2007059; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno SELECT"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007060; classtype:web-application-attack; sid:2007060; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UNION SELECT"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007061; classtype:web-application-attack; sid:2007061; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno INSERT"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007062; classtype:web-application-attack; sid:2007062; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno DELETE"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007063; classtype:web-application-attack; sid:2007063; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno ASCII"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007064; classtype:web-application-attack; sid:2007064; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE"; flow:established,to_server; content:"/products.asp?"; nocase; http_uri; content:"partno="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007065; classtype:web-application-attack; sid:2007065; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID SELECT"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007070; classtype:web-application-attack; sid:2007070; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UNION SELECT"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007071; classtype:web-application-attack; sid:2007071; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID INSERT"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007072; classtype:web-application-attack; sid:2007072; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID DELETE"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007073; classtype:web-application-attack; sid:2007073; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ASCII"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007074; classtype:web-application-attack; sid:2007074; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE"; flow:established,to_server; uricontent:"/item.asp?"; nocase; uricontent:"ItemID="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007075; classtype:web-application-attack; sid:2007075; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007076; classtype:web-application-attack; sid:2007076; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007077; classtype:web-application-attack; sid:2007077; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007078; classtype:web-application-attack; sid:2007078; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007079; classtype:web-application-attack; sid:2007079; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007080; classtype:web-application-attack; sid:2007080; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; content:"/dircat.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007081; classtype:web-application-attack; sid:2007081; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007082; classtype:web-application-attack; sid:2007082; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007083; classtype:web-application-attack; sid:2007083; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007084; classtype:web-application-attack; sid:2007084; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007085; classtype:web-application-attack; sid:2007085; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007086; classtype:web-application-attack; sid:2007086; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; content:"/dirSub.asp?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007087; classtype:web-application-attack; sid:2007087; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID SELECT"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007088; classtype:web-application-attack; sid:2007088; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UNION SELECT"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007089; classtype:web-application-attack; sid:2007089; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID INSERT"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007090; classtype:web-application-attack; sid:2007090; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID DELETE"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007091; classtype:web-application-attack; sid:2007091; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ASCII"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007092; classtype:web-application-attack; sid:2007092; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE"; flow:established,to_server; content:"/types.asp?"; nocase; http_uri; content:"TYPE_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007093; classtype:web-application-attack; sid:2007093; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID SELECT"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007094; classtype:web-application-attack; sid:2007094; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UNION SELECT"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007095; classtype:web-application-attack; sid:2007095; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID INSERT"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007096; classtype:web-application-attack; sid:2007096; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID DELETE"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007097; classtype:web-application-attack; sid:2007097; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ASCII"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007098; classtype:web-application-attack; sid:2007098; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE"; flow:established,to_server; content:"/homeDetail.asp?"; nocase; http_uri; content:"AD_ID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007099; classtype:web-application-attack; sid:2007099; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007100; classtype:web-application-attack; sid:2007100; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UNION SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007101; classtype:web-application-attack; sid:2007101; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat INSERT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007102; classtype:web-application-attack; sid:2007102; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007103; classtype:web-application-attack; sid:2007103; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007104; classtype:web-application-attack; sid:2007104; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"cat="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007105; classtype:web-application-attack; sid:2007105; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007106; classtype:web-application-attack; sid:2007106; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UNION SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007107; classtype:web-application-attack; sid:2007107; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare INSERT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007108; classtype:web-application-attack; sid:2007108; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare DELETE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007109; classtype:web-application-attack; sid:2007109; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ASCII"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007110; classtype:web-application-attack; sid:2007110; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"compare="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007111; classtype:web-application-attack; sid:2007111; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007112; classtype:web-application-attack; sid:2007112; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UNION SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007113; classtype:web-application-attack; sid:2007113; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear INSERT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007114; classtype:web-application-attack; sid:2007114; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear DELETE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007115; classtype:web-application-attack; sid:2007115; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ASCII"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007116; classtype:web-application-attack; sid:2007116; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"clear="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007117; classtype:web-application-attack; sid:2007117; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007118; classtype:web-application-attack; sid:2007118; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UNION SELECT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007119; classtype:web-application-attack; sid:2007119; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID INSERT"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007120; classtype:web-application-attack; sid:2007120; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID DELETE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007121; classtype:web-application-attack; sid:2007121; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ASCII"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007122; classtype:web-application-attack; sid:2007122; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE"; flow:established,to_server; content:"/compareHomes.asp?"; nocase; http_uri; content:"adID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007123; classtype:web-application-attack; sid:2007123; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007124; classtype:web-application-attack; sid:2007124; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UNION SELECT"; flow:established,to_server; uricontent:"/result.asp?"; nocase; uricontent:"aminprice="; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007125; classtype:web-application-attack; sid:2007125; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice INSERT"; flow:established,to_server; uricontent:"/result.asp?"; nocase; uricontent:"aminprice="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007126; classtype:web-application-attack; sid:2007126; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007127; classtype:web-application-attack; sid:2007127; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007128; classtype:web-application-attack; sid:2007128; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"aminprice="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007129; classtype:web-application-attack; sid:2007129; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007130; classtype:web-application-attack; sid:2007130; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UNION SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007131; classtype:web-application-attack; sid:2007131; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice INSERT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007132; classtype:web-application-attack; sid:2007132; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007133; classtype:web-application-attack; sid:2007133; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007134; classtype:web-application-attack; sid:2007134; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"amaxprice="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007135; classtype:web-application-attack; sid:2007135; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007136; classtype:web-application-attack; sid:2007136; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UNION SELECT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007137; classtype:web-application-attack; sid:2007137; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms INSERT"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007138; classtype:web-application-attack; sid:2007138; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms DELETE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007139; classtype:web-application-attack; sid:2007139; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ASCII"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007140; classtype:web-application-attack; sid:2007140; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE"; flow:established,to_server; content:"/result.asp?"; nocase; http_uri; content:"abedrooms="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007141; classtype:web-application-attack; sid:2007141; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid SELECT"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007176; classtype:web-application-attack; sid:2007176; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UNION SELECT"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007177; classtype:web-application-attack; sid:2007177; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid INSERT"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007178; classtype:web-application-attack; sid:2007178; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid DELETE"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007179; classtype:web-application-attack; sid:2007179; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ASCII"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007180; classtype:web-application-attack; sid:2007180; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE"; flow:established,to_server; uricontent:"/modules/News/index.php?"; nocase; uricontent:"sid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007181; classtype:web-application-attack; sid:2007181; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007182; classtype:web-application-attack; sid:2007182; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UNION SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007183; classtype:web-application-attack; sid:2007183; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id INSERT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007184; classtype:web-application-attack; sid:2007184; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id DELETE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007185; classtype:web-application-attack; sid:2007185; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ASCII"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007186; classtype:web-application-attack; sid:2007186; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"show_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007187; classtype:web-application-attack; sid:2007187; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007188; classtype:web-application-attack; sid:2007188; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UNION SELECT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007189; classtype:web-application-attack; sid:2007189; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid INSERT"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007190; classtype:web-application-attack; sid:2007190; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid DELETE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007191; classtype:web-application-attack; sid:2007191; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ASCII"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007192; classtype:web-application-attack; sid:2007192; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE"; flow:established,to_server; content:"/filelist.asp?"; nocase; http_uri; content:"parentid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007193; classtype:web-application-attack; sid:2007193; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid SELECT"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007194; classtype:web-application-attack; sid:2007194; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UNION SELECT"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007195; classtype:web-application-attack; sid:2007195; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid INSERT"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007196; classtype:web-application-attack; sid:2007196; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid DELETE"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007197; classtype:web-application-attack; sid:2007197; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ASCII"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007198; classtype:web-application-attack; sid:2007198; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE"; flow:established,to_server; content:"/showfile.asp?"; nocase; http_uri; content:"fid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007199; classtype:web-application-attack; sid:2007199; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007200; classtype:web-application-attack; sid:2007200; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007201; classtype:web-application-attack; sid:2007201; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007202; classtype:web-application-attack; sid:2007202; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007203; classtype:web-application-attack; sid:2007203; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007204; classtype:web-application-attack; sid:2007204; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007205; classtype:web-application-attack; sid:2007205; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007206; classtype:web-application-attack; sid:2007206; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007207; classtype:web-application-attack; sid:2007207; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007208; classtype:web-application-attack; sid:2007208; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007209; classtype:web-application-attack; sid:2007209; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"did="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007210; classtype:web-application-attack; sid:2007210; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007211; classtype:web-application-attack; sid:2007211; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007212; classtype:web-application-attack; sid:2007212; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007213; classtype:web-application-attack; sid:2007213; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007214; classtype:web-application-attack; sid:2007214; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007215; classtype:web-application-attack; sid:2007215; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007216; classtype:web-application-attack; sid:2007216; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007217; classtype:web-application-attack; sid:2007217; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007218; classtype:web-application-attack; sid:2007218; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007219; classtype:web-application-attack; sid:2007219; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007220; classtype:web-application-attack; sid:2007220; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007221; classtype:web-application-attack; sid:2007221; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; content:"/admin/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007222; classtype:web-application-attack; sid:2007222; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date SELECT"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007223; classtype:web-application-attack; sid:2007223; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UNION SELECT"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007224; classtype:web-application-attack; sid:2007224; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date INSERT"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007225; classtype:web-application-attack; sid:2007225; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date DELETE"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007226; classtype:web-application-attack; sid:2007226; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ASCII"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007227; classtype:web-application-attack; sid:2007227; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE"; flow:established,to_server; content:"/displayCalendar.asp?"; nocase; http_uri; content:"date="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007228; classtype:web-application-attack; sid:2007228; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007229; classtype:web-application-attack; sid:2007229; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UNION SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007230; classtype:web-application-attack; sid:2007230; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage INSERT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007231; classtype:web-application-attack; sid:2007231; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage DELETE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007232; classtype:web-application-attack; sid:2007232; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ASCII"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007233; classtype:web-application-attack; sid:2007233; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007234; classtype:web-application-attack; sid:2007234; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007235; classtype:web-application-attack; sid:2007235; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UNION SELECT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007236; classtype:web-application-attack; sid:2007236; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id INSERT"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007237; classtype:web-application-attack; sid:2007237; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id DELETE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007238; classtype:web-application-attack; sid:2007238; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ASCII"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007239; classtype:web-application-attack; sid:2007239; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE"; flow:established,to_server; content:"/view_gallery.asp?"; nocase; http_uri; content:"gallery_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007240; classtype:web-application-attack; sid:2007240; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id SELECT"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007241; classtype:web-application-attack; sid:2007241; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UNION SELECT"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007242; classtype:web-application-attack; sid:2007242; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id INSERT"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007243; classtype:web-application-attack; sid:2007243; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id DELETE"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007244; classtype:web-application-attack; sid:2007244; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ASCII"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007245; classtype:web-application-attack; sid:2007245; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE"; flow:established,to_server; content:"/download_image.asp?"; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007246; classtype:web-application-attack; sid:2007246; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007247; classtype:web-application-attack; sid:2007247; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UNION SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007248; classtype:web-application-attack; sid:2007248; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage INSERT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007249; classtype:web-application-attack; sid:2007249; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage DELETE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007250; classtype:web-application-attack; sid:2007250; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007251; classtype:web-application-attack; sid:2007251; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007252; classtype:web-application-attack; sid:2007252; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007253; classtype:web-application-attack; sid:2007253; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UNION SELECT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007254; classtype:web-application-attack; sid:2007254; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby INSERT"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007255; classtype:web-application-attack; sid:2007255; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby DELETE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007256; classtype:web-application-attack; sid:2007256; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007257; classtype:web-application-attack; sid:2007257; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007258; classtype:web-application-attack; sid:2007258; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage SELECT"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007259; classtype:web-application-attack; sid:2007259; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UNION SELECT"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007260; classtype:web-application-attack; sid:2007260; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage INSERT"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007261; classtype:web-application-attack; sid:2007261; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage DELETE"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007262; classtype:web-application-attack; sid:2007262; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ASCII"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007263; classtype:web-application-attack; sid:2007263; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE"; flow:established,to_server; content:"/view_recent.asp?"; nocase; http_uri; content:"currentpage="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007264; classtype:web-application-attack; sid:2007264; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007265; classtype:web-application-attack; sid:2007265; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; fast_pattern; distance:0; nocase; http_uri; content:"UNION"; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007267; classtype:web-application-attack; sid:2007267; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007268; classtype:web-application-attack; sid:2007268; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007269; classtype:web-application-attack; sid:2007269; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007270; classtype:web-application-attack; sid:2007270; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007271; classtype:web-application-attack; sid:2007271; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007272; classtype:web-application-attack; sid:2007272; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007273; classtype:web-application-attack; sid:2007273; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007274; classtype:web-application-attack; sid:2007274; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007275; classtype:web-application-attack; sid:2007275; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"In="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007276; classtype:web-application-attack; sid:2007276; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"orderby="; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007277; classtype:web-application-attack; sid:2007277; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007278; classtype:web-application-attack; sid:2007278; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007279; classtype:web-application-attack; sid:2007279; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007280; classtype:web-application-attack; sid:2007280; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007281; classtype:web-application-attack; sid:2007281; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"orderby="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007282; classtype:web-application-attack; sid:2007282; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007283; classtype:web-application-attack; sid:2007283; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (2)"; flow:established,to_server; content:"php?"; nocase; http_uri; content:"cmp="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&dn_uid="; nocase; http_uri; content:"&dn_affid="; nocase; http_uri; content:"&vm_guid="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&altid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007285; classtype:trojan-activity; sid:2007285; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007288; classtype:web-application-attack; sid:2007288; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007289; classtype:web-application-attack; sid:2007289; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007290; classtype:web-application-attack; sid:2007290; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007291; classtype:web-application-attack; sid:2007291; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007292; classtype:web-application-attack; sid:2007292; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; content:"/users.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007293; classtype:web-application-attack; sid:2007293; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007294; classtype:web-application-attack; sid:2007294; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007295; classtype:web-application-attack; sid:2007295; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007296; classtype:web-application-attack; sid:2007296; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007297; classtype:web-application-attack; sid:2007297; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007298; classtype:web-application-attack; sid:2007298; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007299; classtype:web-application-attack; sid:2007299; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007300; classtype:web-application-attack; sid:2007300; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007301; classtype:web-application-attack; sid:2007301; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007302; classtype:web-application-attack; sid:2007302; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007303; classtype:web-application-attack; sid:2007303; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007304; classtype:web-application-attack; sid:2007304; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007305; classtype:web-application-attack; sid:2007305; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007306; classtype:web-application-attack; sid:2007306; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007307; classtype:web-application-attack; sid:2007307; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007308; classtype:web-application-attack; sid:2007308; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007309; classtype:web-application-attack; sid:2007309; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007310; classtype:web-application-attack; sid:2007310; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007311; classtype:web-application-attack; sid:2007311; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007312; classtype:web-application-attack; sid:2007312; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007313; classtype:web-application-attack; sid:2007313; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007314; classtype:web-application-attack; sid:2007314; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007315; classtype:web-application-attack; sid:2007315; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007316; classtype:web-application-attack; sid:2007316; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE"; flow:established,to_server; content:"/forgotpass.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007317; classtype:web-application-attack; sid:2007317; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007318; classtype:web-application-attack; sid:2007318; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007319; classtype:web-application-attack; sid:2007319; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007320; classtype:web-application-attack; sid:2007320; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007321; classtype:web-application-attack; sid:2007321; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007322; classtype:web-application-attack; sid:2007322; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE"; flow:established,to_server; content:"/inout/update.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007323; classtype:web-application-attack; sid:2007323; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007324; classtype:web-application-attack; sid:2007324; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007325; classtype:web-application-attack; sid:2007325; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007326; classtype:web-application-attack; sid:2007326; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007327; classtype:web-application-attack; sid:2007327; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007328; classtype:web-application-attack; sid:2007328; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE"; flow:established,to_server; content:"/inout/status.asp?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007329; classtype:web-application-attack; sid:2007329; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007330; classtype:web-application-attack; sid:2007330; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007331; classtype:web-application-attack; sid:2007331; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007332; classtype:web-application-attack; sid:2007332; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007333; classtype:web-application-attack; sid:2007333; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007334; classtype:web-application-attack; sid:2007334; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE"; flow:established,to_server; content:"/details.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007335; classtype:web-application-attack; sid:2007335; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007336; classtype:web-application-attack; sid:2007336; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007337; classtype:web-application-attack; sid:2007337; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007338; classtype:web-application-attack; sid:2007338; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007339; classtype:web-application-attack; sid:2007339; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007340; classtype:web-application-attack; sid:2007340; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007341; classtype:web-application-attack; sid:2007341; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007344; classtype:web-application-attack; sid:2007344; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UNION SELECT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007345; classtype:web-application-attack; sid:2007345; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID INSERT"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007346; classtype:web-application-attack; sid:2007346; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID DELETE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007347; classtype:web-application-attack; sid:2007347; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ASCII"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007348; classtype:web-application-attack; sid:2007348; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE"; flow:established,to_server; content:"/index.asp?"; nocase; http_uri; content:"tID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007349; classtype:web-application-attack; sid:2007349; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID SELECT"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007350; classtype:web-application-attack; sid:2007350; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UNION SELECT"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007351; classtype:web-application-attack; sid:2007351; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID INSERT"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007352; classtype:web-application-attack; sid:2007352; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID DELETE"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007353; classtype:web-application-attack; sid:2007353; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ASCII"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007354; classtype:web-application-attack; sid:2007354; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE"; flow:established,to_server; content:"/openlink.asp?"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007355; classtype:web-application-attack; sid:2007355; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID SELECT"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007356; classtype:web-application-attack; sid:2007356; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UNION SELECT"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007357; classtype:web-application-attack; sid:2007357; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID INSERT"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007358; classtype:web-application-attack; sid:2007358; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID DELETE"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007359; classtype:web-application-attack; sid:2007359; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ASCII"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007360; classtype:web-application-attack; sid:2007360; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE"; flow:established,to_server; content:"/viewlinks.asp?"; nocase; http_uri; content:"CategoryID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007361; classtype:web-application-attack; sid:2007361; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007362; classtype:web-application-attack; sid:2007362; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007363; classtype:web-application-attack; sid:2007363; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007364; classtype:web-application-attack; sid:2007364; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007365; classtype:web-application-attack; sid:2007365; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007366; classtype:web-application-attack; sid:2007366; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE"; flow:established,to_server; content:"/linkslist.asp?"; nocase; http_uri; content:"psearch="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007367; classtype:web-application-attack; sid:2007367; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007368; classtype:web-application-attack; sid:2007368; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007369; classtype:web-application-attack; sid:2007369; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007370; classtype:web-application-attack; sid:2007370; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007371; classtype:web-application-attack; sid:2007371; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007372; classtype:web-application-attack; sid:2007372; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007373; classtype:web-application-attack; sid:2007373; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which SELECT"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007374; classtype:web-application-attack; sid:2007374; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UNION SELECT"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007375; classtype:web-application-attack; sid:2007375; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which INSERT"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007376; classtype:web-application-attack; sid:2007376; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which DELETE"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007377; classtype:web-application-attack; sid:2007377; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which ASCII"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007378; classtype:web-application-attack; sid:2007378; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE"; flow:established,to_server; uricontent:"/index1.asp?"; nocase; uricontent:"which="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007379; classtype:web-application-attack; sid:2007379; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat SELECT"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007380; classtype:web-application-attack; sid:2007380; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UNION SELECT"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007381; classtype:web-application-attack; sid:2007381; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat INSERT"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007382; classtype:web-application-attack; sid:2007382; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat DELETE"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007383; classtype:web-application-attack; sid:2007383; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat ASCII"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007384; classtype:web-application-attack; sid:2007384; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE"; flow:established,to_server; uricontent:"/default2.asp?"; nocase; uricontent:"kat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007385; classtype:web-application-attack; sid:2007385; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007386; classtype:web-application-attack; sid:2007386; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UNION SELECT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007387; classtype:web-application-attack; sid:2007387; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid INSERT"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007388; classtype:web-application-attack; sid:2007388; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid DELETE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007389; classtype:web-application-attack; sid:2007389; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid ASCII"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007390; classtype:web-application-attack; sid:2007390; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE"; flow:established,to_server; uricontent:"/index.asp?"; nocase; uricontent:"fid="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007391; classtype:web-application-attack; sid:2007391; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid SELECT"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007392; classtype:web-application-attack; sid:2007392; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UNION SELECT"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007393; classtype:web-application-attack; sid:2007393; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid INSERT"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007394; classtype:web-application-attack; sid:2007394; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid DELETE"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007395; classtype:web-application-attack; sid:2007395; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ASCII"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007396; classtype:web-application-attack; sid:2007396; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE"; flow:established,to_server; content:"/product.asp?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007397; classtype:web-application-attack; sid:2007397; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007398; classtype:web-application-attack; sid:2007398; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UNION SELECT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007399; classtype:web-application-attack; sid:2007399; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search INSERT"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007400; classtype:web-application-attack; sid:2007400; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search DELETE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007401; classtype:web-application-attack; sid:2007401; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ASCII"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007402; classtype:web-application-attack; sid:2007402; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE"; flow:established,to_server; content:"/search.asp?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007403; classtype:web-application-attack; sid:2007403; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007404; classtype:web-application-attack; sid:2007404; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UNION SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007405; classtype:web-application-attack; sid:2007405; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd INSERT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007406; classtype:web-application-attack; sid:2007406; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd DELETE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007407; classtype:web-application-attack; sid:2007407; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ASCII"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007408; classtype:web-application-attack; sid:2007408; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"ipadd="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007409; classtype:web-application-attack; sid:2007409; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007410; classtype:web-application-attack; sid:2007410; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UNION SELECT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007411; classtype:web-application-attack; sid:2007411; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url INSERT"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007412; classtype:web-application-attack; sid:2007412; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url DELETE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007413; classtype:web-application-attack; sid:2007413; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ASCII"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007414; classtype:web-application-attack; sid:2007414; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE"; flow:established,to_server; content:"/addrating.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007415; classtype:web-application-attack; sid:2007415; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat SELECT"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007416; classtype:web-application-attack; sid:2007416; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UNION SELECT"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007417; classtype:web-application-attack; sid:2007417; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat INSERT"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007418; classtype:web-application-attack; sid:2007418; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat DELETE"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007419; classtype:web-application-attack; sid:2007419; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ASCII"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007420; classtype:web-application-attack; sid:2007420; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE"; flow:established,to_server; uricontent:"/cat.asp?"; nocase; uricontent:"cat="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007421; classtype:web-application-attack; sid:2007421; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007422; classtype:web-application-attack; sid:2007422; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007423; classtype:web-application-attack; sid:2007423; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007424; classtype:web-application-attack; sid:2007424; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007425; classtype:web-application-attack; sid:2007425; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007426; classtype:web-application-attack; sid:2007426; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"keyword="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007427; classtype:web-application-attack; sid:2007427; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007428; classtype:web-application-attack; sid:2007428; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007429; classtype:web-application-attack; sid:2007429; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007430; classtype:web-application-attack; sid:2007430; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007431; classtype:web-application-attack; sid:2007431; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007432; classtype:web-application-attack; sid:2007432; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"order="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007433; classtype:web-application-attack; sid:2007433; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007434; classtype:web-application-attack; sid:2007434; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007435; classtype:web-application-attack; sid:2007435; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007436; classtype:web-application-attack; sid:2007436; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007437; classtype:web-application-attack; sid:2007437; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007438; classtype:web-application-attack; sid:2007438; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"sort="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007439; classtype:web-application-attack; sid:2007439; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007440; classtype:web-application-attack; sid:2007440; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007441; classtype:web-application-attack; sid:2007441; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007442; classtype:web-application-attack; sid:2007442; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007443; classtype:web-application-attack; sid:2007443; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007444; classtype:web-application-attack; sid:2007444; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"menuSelect="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007445; classtype:web-application-attack; sid:2007445; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007446; classtype:web-application-attack; sid:2007446; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UNION SELECT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007447; classtype:web-application-attack; sid:2007447; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state INSERT"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007448; classtype:web-application-attack; sid:2007448; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state DELETE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007449; classtype:web-application-attack; sid:2007449; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state ASCII"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007450; classtype:web-application-attack; sid:2007450; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE"; flow:established,to_server; uricontent:"/search.asp?"; nocase; uricontent:"state="; nocase; uricontent:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007451; classtype:web-application-attack; sid:2007451; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob SELECT"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007452; classtype:web-application-attack; sid:2007452; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UNION SELECT"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007453; classtype:web-application-attack; sid:2007453; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob INSERT"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007454; classtype:web-application-attack; sid:2007454; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob DELETE"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007455; classtype:web-application-attack; sid:2007455; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ASCII"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007456; classtype:web-application-attack; sid:2007456; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE"; flow:established,to_server; content:"/publications_list.asp?"; nocase; http_uri; content:"vjob="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007457; classtype:web-application-attack; sid:2007457; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID SELECT"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007458; classtype:web-application-attack; sid:2007458; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UNION SELECT"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007459; classtype:web-application-attack; sid:2007459; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID INSERT"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007460; classtype:web-application-attack; sid:2007460; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID DELETE"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007461; classtype:web-application-attack; sid:2007461; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ASCII"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007462; classtype:web-application-attack; sid:2007462; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE"; flow:established,to_server; content:"/publication_view.asp?"; nocase; http_uri; content:"InfoID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007463; classtype:web-application-attack; sid:2007463; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy SELECT"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007464; classtype:web-application-attack; sid:2007464; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UNION SELECT"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007465; classtype:web-application-attack; sid:2007465; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy INSERT"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007466; classtype:web-application-attack; sid:2007466; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy DELETE"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007467; classtype:web-application-attack; sid:2007467; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ASCII"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007468; classtype:web-application-attack; sid:2007468; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE"; flow:established,to_server; content:"/openPolicy.asp?"; nocase; http_uri; content:"policy="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007469; classtype:web-application-attack; sid:2007469; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand SELECT"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007470; classtype:web-application-attack; sid:2007470; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UNION SELECT"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007471; classtype:web-application-attack; sid:2007471; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand INSERT"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007472; classtype:web-application-attack; sid:2007472; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand DELETE"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007473; classtype:web-application-attack; sid:2007473; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand ASCII"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007474; classtype:web-application-attack; sid:2007474; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE"; flow:established,to_server; content:"/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007475; classtype:web-application-attack; sid:2007475; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID SELECT"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007476; classtype:web-application-attack; sid:2007476; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UNION SELECT"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007477; classtype:web-application-attack; sid:2007477; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID INSERT"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007478; classtype:web-application-attack; sid:2007478; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID DELETE"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007479; classtype:web-application-attack; sid:2007479; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007480; classtype:web-application-attack; sid:2007480; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; content:"/activenews_view.asp?"; nocase; http_uri;content:"articleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; classtype:web-application-attack; sid:2007481; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007482; classtype:web-application-attack; sid:2007482; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007483; classtype:web-application-attack; sid:2007483; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007484; classtype:web-application-attack; sid:2007484; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007485; classtype:web-application-attack; sid:2007485; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007486; classtype:web-application-attack; sid:2007486; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID SELECT"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007487; classtype:web-application-attack; sid:2007487; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UNION SELECT"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007488; classtype:web-application-attack; sid:2007488; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID INSERT"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007489; classtype:web-application-attack; sid:2007489; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007490; classtype:web-application-attack; sid:2007490; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri;content:"catID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; classtype:web-application-attack; sid:2007491; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE"; flow:established,to_server; content:"/activeNews_categories.asp?"; nocase; http_uri; content:"catID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007492; classtype:web-application-attack; sid:2007492; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID SELECT"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007493; classtype:web-application-attack; sid:2007493; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UNION SELECT"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007494; classtype:web-application-attack; sid:2007494; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID INSERT"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007495; classtype:web-application-attack; sid:2007495; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID DELETE"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007496; classtype:web-application-attack; sid:2007496; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ASCII"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007497; classtype:web-application-attack; sid:2007497; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE"; flow:established,to_server; content:"/activeNews_comments.asp?"; nocase; http_uri; content:"articleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007498; classtype:web-application-attack; sid:2007498; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query SELECT"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007499; classtype:web-application-attack; sid:2007499; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UNION SELECT"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007500; classtype:web-application-attack; sid:2007500; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query INSERT"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007501; classtype:web-application-attack; sid:2007501; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query DELETE"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007502; classtype:web-application-attack; sid:2007502; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ASCII"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007503; classtype:web-application-attack; sid:2007503; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007510; classtype:web-application-attack; sid:2007510; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007511; classtype:web-application-attack; sid:2007511; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007512; classtype:web-application-attack; sid:2007512; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007513; classtype:web-application-attack; sid:2007513; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007514; classtype:web-application-attack; sid:2007514; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"categoryID_list="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007515; classtype:web-application-attack; sid:2007515; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007516; classtype:web-application-attack; sid:2007516; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007517; classtype:web-application-attack; sid:2007517; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007518; classtype:web-application-attack; sid:2007518; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007519; classtype:web-application-attack; sid:2007519; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007520; classtype:web-application-attack; sid:2007520; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007521; classtype:web-application-attack; sid:2007521; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007522; classtype:web-application-attack; sid:2007522; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007523; classtype:web-application-attack; sid:2007523; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007524; classtype:web-application-attack; sid:2007524; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007525; classtype:web-application-attack; sid:2007525; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007526; classtype:web-application-attack; sid:2007526; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"stock_number="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007527; classtype:web-application-attack; sid:2007527; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007528; classtype:web-application-attack; sid:2007528; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; classtype:web-application-attack; sid:2007529; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007530; classtype:web-application-attack; sid:2007530; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007531; classtype:web-application-attack; sid:2007531; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007532; classtype:web-application-attack; sid:2007532; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"manufacturer="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007533; classtype:web-application-attack; sid:2007533; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007534; classtype:web-application-attack; sid:2007534; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007535; classtype:web-application-attack; sid:2007535; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007536; classtype:web-application-attack; sid:2007536; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007537; classtype:web-application-attack; sid:2007537; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007538; classtype:web-application-attack; sid:2007538; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"model="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007539; classtype:web-application-attack; sid:2007539; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007540; classtype:web-application-attack; sid:2007540; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007541; classtype:web-application-attack; sid:2007541; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007542; classtype:web-application-attack; sid:2007542; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007543; classtype:web-application-attack; sid:2007543; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007544; classtype:web-application-attack; sid:2007544; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007545; classtype:web-application-attack; sid:2007545; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007546; classtype:web-application-attack; sid:2007546; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007547; classtype:web-application-attack; sid:2007547; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007548; classtype:web-application-attack; sid:2007548; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007549; classtype:web-application-attack; sid:2007549; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007550; classtype:web-application-attack; sid:2007550; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"year="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007551; classtype:web-application-attack; sid:2007551; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007552; classtype:web-application-attack; sid:2007552; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007553; classtype:web-application-attack; sid:2007553; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007554; classtype:web-application-attack; sid:2007554; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007555; classtype:web-application-attack; sid:2007555; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007556; classtype:web-application-attack; sid:2007556; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vin="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007557; classtype:web-application-attack; sid:2007557; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007558; classtype:web-application-attack; sid:2007558; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007559; classtype:web-application-attack; sid:2007559; rev:10;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007560; classtype:web-application-attack; sid:2007560; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007561; classtype:web-application-attack; sid:2007561; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007562; classtype:web-application-attack; sid:2007562; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"listing_price="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007563; classtype:web-application-attack; sid:2007563; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007564; classtype:web-application-attack; sid:2007564; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE"; flow:established,to_server; content:"/activenews_search.asp?"; nocase; http_uri; content:"query="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007565; classtype:web-application-attack; sid:2007565; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.MisleadApp Fake Security Product Install"; flow:established,to_server; content:"GET"; nocase; http_method; content:"hash?http"; nocase; http_uri; pcre:"/\/(ucleaner|udefender|ufixer)\.com\/demo\.php\?/Ui"; reference:url,doc.emergingthreats.net/2007566; classtype:trojan-activity; sid:2007566; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP"; flow:established,to_server; content:".php?code="; nocase; http_uri; content:"&hash="; nocase; http_uri; pcre:"/code=[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}/Ui"; reference:url,doc.emergingthreats.net/2007568; classtype:trojan-activity; sid:2007568; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:trojan-activity; sid:2007570; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo.dam http Update"; flow:established,to_server; content:"/cgi-bin/heartbeat.php"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"&affiliate_id="; nocase; http_uri; content:"&db=1"; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007573; classtype:trojan-activity; sid:2007573; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:trojan-activity; sid:2007575; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:" 200 Connection established|0d 0a|Proxy-agent|3a| CCProxy "; depth:58; reference:url,www.youngzsoft.net; reference:url,doc.emergingthreats.net/bin/view/Main/2007576; classtype:trojan-activity; sid:2007576; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader Checkin URL (GUID+)"; flow:established,to_server; content:"&version="; nocase; http_uri; content:"&configversion="; nocase; http_uri; content:"GUID="; nocase; http_uri; content:"&cmd="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&x="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007577; classtype:trojan-activity; sid:2007577; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; content:"User-Agent|3a| vikiller ctrl"; nocase; http_header; reference:url,doc.emergingthreats.net/2007582; classtype:trojan-activity; sid:2007582; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN iebar Spyware User Agent (iebar)"; flow:established,to_server; content:"|3b 20|iebar"; http_header; fast_pattern:only; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:15;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader or Virut C&C Ack"; flow:established,to_server; content:"uid="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&actionname="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&success="; nocase; http_uri; content:"&debug="; nocase; http_uri; content:"&nocache="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007587; classtype:trojan-activity; sid:2007587; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon URL Infection Checkin Detected"; flow:established,to_server; content:"?mac="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&user="; nocase; http_uri; content:"&md5="; nocase; http_uri; content:"&pc="; nocase; http_uri; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,doc.emergingthreats.net/2007592; classtype:trojan-activity; sid:2007592; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:trojan-activity; sid:2007593; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"User-Agent|3a| Mz|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Dluca HTTP Checkin"; flow:established,to_server; content:"?id={"; nocase; http_uri; content:"&srv="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&docid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&cstate="; nocase; http_uri; content:"&state="; nocase; http_uri; content:"&flash="; nocase; http_uri; content:"&pin="; nocase; http_uri; content:"&OSInfo2="; nocase; content:"&cinfo="; nocase; http_uri; content:"&smd="; nocase; http_uri; content:"&rts="; nocase; http_uri; content:"&retryattempt="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007595; classtype:trojan-activity; sid:2007595; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; content:"User-Agent|3a| B Register"; nocase; http_header; reference:url,doc.emergingthreats.net/2007597; classtype:trojan-activity; sid:2007597; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; content:"User-Agent|3a| updatesodui"; nocase; http_header; reference:url,doc.emergingthreats.net/2007598; classtype:trojan-activity; sid:2007598; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; content:"User-Agent|3a| aaaabbb"; nocase; http_header; reference:url,doc.emergingthreats.net/2007599; classtype:trojan-activity; sid:2007599; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; content:"User-Agent|3a| TryMedia_DM_"; nocase; http_header; reference:url,doc.emergingthreats.net/2007600; classtype:trojan-activity; sid:2007600; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:trojan-activity; sid:2007601; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET TROJAN Win32.Agent.bea C&C connection"; flow:to_server,established; dsize:24; content:"|9a 02 06 00|"; depth:4; reference:url,doc.emergingthreats.net/2007608; classtype:trojan-activity; sid:2007608; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| xSock Config"; http_header; nocase; reference:url,doc.emergingthreats.net/2007609; classtype:trojan-activity; sid:2007609; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007611; classtype:trojan-activity; sid:2007611; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007612; classtype:trojan-activity; sid:2007612; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007613; classtype:trojan-activity; sid:2007613; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007614; classtype:trojan-activity; sid:2007614; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS klm123.com Spyware User Agent"; flow:established,to_server; content:"User-Agent|3a| {"; http_header; content:!"Host|3a| directory.gladinet.com|0d 0a|"; http_header; content:!"ff.avast.com|0d 0a|"; http_header; pcre:"/User-Agent\x3a \{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/iH"; reference:url,doc.emergingthreats.net/2007616; classtype:trojan-activity; sid:2007616; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; content:"User-Agent|3a| VirusProtectPro"; http_header; reference:url,doc.emergingthreats.net/2007617; classtype:trojan-activity; sid:2007617; rev:7;) alert icmp any any -> any any (msg:"ET TROJAN Storm Worm ICMP DDOS Traffic"; itype:8; icode:0; dsize:32; content:"abcdefghijklmnopqr|00 00|"; depth:22; threshold:type both, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2007618; classtype:trojan-activity; sid:2007618; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; content:"User-Agent|3a| Ismazo"; http_header; nocase; reference:url,doc.emergingthreats.net/2007633; classtype:trojan-activity; sid:2007633; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; content:"User-Agent|3a| WmpHostInternetConnection"; http_header; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:trojan-activity; sid:2007642; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; content:"User-Agent|3a| viruscheck"; nocase; http_header; reference:url,doc.emergingthreats.net/2007643; classtype:trojan-activity; sid:2007643; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cah Checkin Request"; flow:established,to_server; content:"?v="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&r1="; nocase; http_uri; content:"&tm=201"; nocase; http_uri; content:"&av="; nocase; http_uri; content:"&os=Windows"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"cht="; http_uri; reference:url,doc.emergingthreats.net/2007644; classtype:trojan-activity; sid:2007644; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; content:"User-Agent|3a| Ultimate Fixer"; nocase; http_header; reference:url,doc.emergingthreats.net/2007645; classtype:trojan-activity; sid:2007645; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (XXX)"; flow:established,to_server; content:"User-Agent|3a| XXX|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:trojan-activity; sid:2007648; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.1|0d 0a|Accept-Language|3a| "; pcre:"/Accept-Language\: [a-zA-Z0-9]{20}/"; reference:url,doc.emergingthreats.net/2007650; classtype:trojan-activity; sid:2007650; rev:4;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; content:"User-Agent|3a| QdrBi Starter|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:trojan-activity; sid:2007659; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Browser|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007660; classtype:trojan-activity; sid:2007660; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; content:"User-Agent|3a| RAV"; http_header; pcre:"/^User-Agent\x3a RAV\d\.\d\d/Hm"; reference:url,doc.emergingthreats.net/2007661; classtype:trojan-activity; sid:2007661; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.pt User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Machaon|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007663; classtype:trojan-activity; sid:2007663; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; content:"?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri;content:"&v="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"&platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri;content:"&ac="; nocase; http_uri; content:"&appid="; nocase; http_uri; content:"&em="; nocase; http_uri; content:"&pcid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:trojan-activity; sid:2007664; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (install_s)"; flow:established,to_server; content:"User-Agent|3a| install_"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:trojan-activity; sid:2007666; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware User-Agent (count)"; flow:established,to_server; content:"User-Agent|3a| count|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:trojan-activity; sid:2007667; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?2="; http_uri; content:"&n="; http_uri; content:"&v="; http_uri; content:"&i="; http_uri; content:"&sp="; http_uri; content:"&lcp="; http_uri; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007688; classtype:trojan-activity; sid:2007688; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (??)"; flow:established,to_server; content:"User-Agent|3a| |3f 3f 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:trojan-activity; sid:2007690; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"a="; http_client_body; content:"&b=reported"; fast_pattern; distance:0; within:40; http_client_body; content:"&d=report"; http_client_body; distance:0; within:40; reference:url,doc.emergingthreats.net/2007692; classtype:trojan-activity; sid:2007692; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; content:"User-Agent|3a| BndDriveLoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2007693; classtype:trojan-activity; sid:2007693; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; content:"User-Agent|3a| LmaokaazLdr"; nocase; http_header; reference:url,doc.emergingthreats.net/2007694; classtype:trojan-activity; sid:2007694; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; content:!"X-Trend-ActiveUpdate"; http_header; content:!"HTTrack"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:trojan-activity; sid:2007696; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear)"; flow:established,to_server; content:"User-Agent|3a| AntiVirGear"; nocase; http_header; reference:url,doc.emergingthreats.net/2007697; classtype:trojan-activity; sid:2007697; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vanquish Trojan HTTP Checkin"; flow:established,to_server; content:"ip="; http_uri; content:"&v=1&s="; http_uri; content:"&h="; http_uri; content:"&kb="; http_uri; content:"&o="; http_uri; content:"&c="; http_uri; content:"&un="; http_uri; content:"&m="; http_uri; content:"&w="; http_uri; content:"&ss="; http_uri; reference:url,doc.emergingthreats.net/2007698; classtype:trojan-activity; sid:2007698; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; content:"User-Agent|3a| WINDOWS_LOADS"; http_header; reference:url,doc.emergingthreats.net/2007699; classtype:trojan-activity; sid:2007699; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; content:"php?i="; http_uri; content:"&v="; http_uri;content:"&win=Windows"; http_uri; content:"&un="; http_uri; content:"&uv="; http_uri; content:"&s="; http_uri; content:"&onl="; http_uri; content:"&ip="; http_uri; content:"&f="; http_uri; reference:url,doc.emergingthreats.net/2007700; classtype:trojan-activity; sid:2007700; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007703; classtype:attempted-user; sid:2007703; rev:8;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007704; classtype:attempted-user; sid:2007704; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:11;) alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; classtype:trojan-activity; sid:2007725; rev:6;) alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; classtype:trojan-activity; sid:2007726; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P possible torrent download"; flow:to_server,established; content:".torrent"; nocase; http_uri; pcre:"/\.torrent$/Ui"; content:!"mapfactor.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_PROX.AFV POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"=|22|sid|22|"; http_client_body; nocase; content:"=|22|up|22|"; http_client_body; nocase; content:"=|22|wbfl|22|"; http_client_body; nocase; content:"=|22|v|22|"; http_client_body; nocase; content:"=|22|ping|22|"; http_client_body; nocase; content:"=|22|guid|22|"; http_client_body; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; reference:url,doc.emergingthreats.net/2007728; classtype:trojan-activity; sid:2007728; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windoss NT"; http_header; fast_pattern:46,11; reference:url,doc.emergingthreats.net/2007742; classtype:trojan-activity; sid:2007742; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"c="; http_uri; content:"&v="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; content:"&cnt="; http_uri; fast_pattern:only; content:"&q="; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d; reference:url,doc.emergingthreats.net/2007743; classtype:trojan-activity; sid:2007743; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:trojan-activity; sid:2007744; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET GAMES Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; reference:url,doc.emergingthreats.net/2007746; classtype:policy-violation; sid:2007746; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:trojan-activity; sid:2007749; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; content:"?udata="; http_uri; content:"program_started|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; classtype:trojan-activity; sid:2007750; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Saturn Proxy Initial Outbound Checkin (404.txt)"; flow:established,to_server; dsize:<50; content:"GET /404.txt HTTP/1.0"; depth:21; flowbits:set,ET.saturn.checkin; reference:url,doc.emergingthreats.net/2007751; classtype:trojan-activity; sid:2007751; rev:3;) alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:trojan-activity; sid:2007752; rev:5;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy C&C Activity"; flow:established,from_server; dsize:12; content:"|2d 00 00 00|"; offset:0; depth:4; content:"|00 00 55 00 00 00|"; distance:2; reference:url,doc.emergingthreats.net/2007753; classtype:trojan-activity; sid:2007753; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Club World Casino Client in Use"; flow:established,to_server; dsize:23; content:"Club World Casinos"; reference:url,doc.emergingthreats.net/2007754; classtype:policy-violation; sid:2007754; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| netcfg|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007758; classtype:trojan-activity; sid:2007758; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:trojan-activity; sid:2007759; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CBS Streaming Video"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a|"; nocase; http_header; content:"cbs.com"; nocase; http_header; content:"/innertube/player.php?"; http_uri; reference:url,doc.emergingthreats.net/2007763; classtype:policy-violation; sid:2007763; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|video.nbcuni.com"; nocase; http_header; pcre:"/(\.smil)$/Ui"; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET"; http_method; content:"/myrahost/list.aspx?"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; content:"GET"; http_method; content:"/update.logmein.com/"; nocase; http_uri; content:!"Host|3a| "; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.7 [en] (WinNT"; http_header; fast_pattern:20,15; reference:url,doc.emergingthreats.net/2007767; classtype:trojan-activity; sid:2007767; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes Update Detected"; flow:established,to_server; content:".php?wm="; nocase; http_uri; content:"&ucid="; nocase; http_uri; content:"&e="; http_uri; reference:url,doc.emergingthreats.net/2007768; classtype:trojan-activity; sid:2007768; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zhelatin Update Detected"; flow:established,to_server; content:".php?l="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&rvz1="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007769; classtype:trojan-activity; sid:2007769; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tear Application User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Tear Application|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007770; classtype:trojan-activity; sid:2007770; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:trojan-activity; sid:2007772; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/tba/"; nocase; http_uri; content:"guid="; http_client_body; content:"&version="; http_client_body; content:"&clientid="; http_client_body; content:"&time="; http_client_body; content:"&idle="; http_client_body; content:"&ticksBoot="; http_client_body; reference:url,doc.emergingthreats.net/2007774; classtype:trojan-activity; sid:2007774; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"action="; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN User-agent DownloadNetFile Win32.small.hsh downloader"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3A| DownloadNetFile|0D 0A|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007778; classtype:trojan-activity; sid:2007778; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate)"; flow:established,to_server; content:"User-Agent|3a| kpangupdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007779; classtype:trojan-activity; sid:2007779; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Ssppyy.com Surveillance Agent Reporting via Email"; flow:established,to_server; content:"|0d 0a|Subject|3a| SSPPYY notification|0d 0a|X=Mailer|3a| Mail|0d 0a|"; content:"The computer you are monitoring has connected online - The module name of"; distance:5; reference:url,doc.emergingthreats.net/2007780; classtype:trojan-activity; sid:2007780; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"User-Agent|3a| PCDoc"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:trojan-activity; sid:2007786; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zhelatin npopup Update Detected"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/server/npopup/"; nocase; http_uri; content:"data="; http_client_body; nocase; content:"&key="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2007787; classtype:trojan-activity; sid:2007787; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; content:"/plist.php?uid="; http_uri; content:"Host|3a| "; http_header; content:"theinstalls.com"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; classtype:trojan-activity; sid:2007788; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; content:"User-Agent|3a| Azureus"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; classtype:policy-violation; sid:2007799; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"Server|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007800; classtype:policy-violation; sid:2007800; rev:4;) alert tcp any 1024: -> any 1024: (msg:"ET P2P Gnutella TCP Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"200 OK|0d 0a|"; within:15; threshold: type both,track by_src,count 5,seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2007801; classtype:policy-violation; sid:2007801; rev:4;) alert tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; reference:url,doc.emergingthreats.net/2007802; classtype:network-scan; sid:2007802; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"User-Agent|3a| mypcdoc"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:trojan-activity; sid:2007804; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rcash.co.kr Bootup Checkin via HTTP"; flow:established,to_server; content:"/install/Boot.asp?macaddr="; nocase; http_uri; content:"&partner="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007807; classtype:trojan-activity; sid:2007807; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:trojan-activity; sid:2007809; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Metajuan trojan checkin"; flow:established,to_server; content:"trafc-2/rfe"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99; reference:url,doc.emergingthreats.net/2007811; classtype:trojan-activity; sid:2007811; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2)"; flow:established,to_server; content:"User-Agent|3a| HTTP_Connect_"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; classtype:trojan-activity; sid:2007821; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; content:"/cc.php"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&rnd="; http_uri; nocase; pcre:"/v=\d+&rnd=\d/Ui"; reference:url,doc.emergingthreats.net/2007822; classtype:trojan-activity; sid:2007822; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"CustomExchangeBrowser"; http_header; pcre:"/User-Agent\:[^\n]+CustomExchangeBrowser/H"; reference:url,doc.emergingthreats.net/2007824; classtype:trojan-activity; sid:2007824; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Neonaby.com Related Trojan User-Agent (neonabyupdate)"; flow:established,to_server; content:"User-Agent|3a| neonabyupdate|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007825; classtype:trojan-activity; sid:2007825; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; content:"User-Agent|3a| API-Guide test program|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; content:"User-Agent|3a| ie|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007827; classtype:trojan-activity; sid:2007827; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Illusion Bot (Lussilon) Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"?act=online&"; nocase; http_uri; content:"s4="; nocase; http_uri; content:"&s5="; nocase; http_uri; content:"&nickname="; http_uri; content:"msg_out="; http_client_body; depth:8; nocase; reference:url,doc.emergingthreats.net/2007829; classtype:trojan-activity; sid:2007829; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"bot_id="; http_client_body; content:"&build_id="; http_client_body; content:"&sport="; http_client_body; content:"&hport="; http_client_body; content:"&ping="; http_client_body; content:"&speed="; http_client_body; reference:url,doc.emergingthreats.net/2007831; classtype:trojan-activity; sid:2007831; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Theoreon.com Related Trojan Checkin"; flow:established,to_server; content:"/firststart.php?pid="; nocase; http_uri; content:"&dt="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007832; classtype:trojan-activity; sid:2007832; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| MSIE 5.5|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007833; classtype:trojan-activity; sid:2007833; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Renos/ssd.com HTTP Checkin"; flow:established,to_server; content:"/dlp.php?"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&ydf="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&w=___"; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&apzx="; nocase; http_uri; content:"&apz="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007834; classtype:trojan-activity; sid:2007834; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related"; flow:established,to_server; content:"POST"; nocase; http_method; content:"?id="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"proc=[System Process]|0d 0a|"; http_client_body; content:"|0d 0a|&size="; http_client_body; reference:url,doc.emergingthreats.net/2007836; classtype:trojan-activity; sid:2007836; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; content:"User-Agent|3a| WinInet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007837; classtype:trojan-activity; sid:2007837; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf HTTP Checkin (1)"; flow:established,to_server; content:"/mydown.asp?"; nocase; http_uri; content:"reg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tgid="; nocase; http_uri; content:"&address="; nocase; http_uri; content:"&mydo="; nocase; http_uri; content:"&flag="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007838; classtype:trojan-activity; sid:2007838; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; content:"User-Agent|3a| DrPCClean"; http_header; reference:url,doc.emergingthreats.net/2007839; classtype:trojan-activity; sid:2007839; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Possible Trojan Downloader Shell"; flow:established,to_server; content:"User-Agent|3a| Shell|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007840; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2007840; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bzub2 Related RPC/Http Checkin"; flow:established,to_server; content:"/rpc.php?a=ftp"; nocase; http_uri; content:"&b="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007843; classtype:trojan-activity; sid:2007843; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Locus "; http_header; reference:url,doc.emergingthreats.net/2007845; classtype:trojan-activity; sid:2007845; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kpang.com Related Trojan User-Agent (alertup)"; flow:established,to_server; content:"User-Agent|3a| alertup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007849; classtype:trojan-activity; sid:2007849; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; content:!"smartcom.com|0d 0a|"; http_header; content:!"iscoresports.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:trojan-activity; sid:2007854; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:trojan-activity; sid:2007855; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; content:"?wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lndid="; nocase; http_uri; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; classtype:trojan-activity; sid:2007856; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; reference:url,doc.emergingthreats.net/2007858; classtype:trojan-activity; sid:2007858; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| microsoft|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:trojan-activity; sid:2007859; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer 6.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:trojan-activity; sid:2007860; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:trojan-activity; sid:2007861; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (3)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:trojan-activity; sid:2007862; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; fast_pattern:30,20; content:"tipo="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2007863; classtype:trojan-activity; sid:2007863; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected"; flow:established,to_server; content:"php?mac="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"++++++++"; nocase; http_raw_uri; content:"&ver="; nocase; http_uri; content:"&ie="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007864; classtype:trojan-activity; sid:2007864; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Gadu-Gadu Chat Client Checkin via HTTP"; flow:established,to_server; content:"/appsvc/appmsg"; nocase; http_uri; content:"fmnumber="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&fmt="; nocase; http_uri; content:"&lastmsg="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007866; classtype:trojan-activity; sid:2007866; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Firefox|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:trojan-activity; sid:2007868; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; content:"User-Agent|3a| Vomba"; http_header; reference:url,doc.emergingthreats.net/2007869; classtype:trojan-activity; sid:2007869; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:trojan-activity; sid:2007870; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization:"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; classtype:web-application-attack; sid:2007874; rev:7;) alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (single dash)"; flow:to_server,established; content:"User-Agent|3a| |2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; content:"User-Agent|3a| HTTP_GET_COMM|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007881; classtype:trojan-activity; sid:2007881; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; content:"User-Agent|3a| SHINI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007882; classtype:trojan-activity; sid:2007882; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; content:"User-Agent|3a| VirusHeat"; http_header; reference:url,doc.emergingthreats.net/2007883; classtype:trojan-activity; sid:2007883; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Example)"; flow:to_server,established; content:"User-Agent|3a| Example|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:trojan-activity; sid:2007884; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader)"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007889; classtype:web-application-attack; sid:2007889; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list INSERT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007890; classtype:web-application-attack; sid:2007890; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list DELETE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007891; classtype:web-application-attack; sid:2007891; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007892; classtype:web-application-attack; sid:2007892; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id SELECT"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007893; classtype:web-application-attack; sid:2007893; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007894; classtype:web-application-attack; sid:2007894; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id INSERT"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007895; classtype:web-application-attack; sid:2007895; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id DELETE"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007896; classtype:web-application-attack; sid:2007896; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE"; flow:established,to_server; content:"tree.php?"; nocase; http_uri; content:"leaf_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007897; classtype:web-application-attack; sid:2007897; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sohanad Checkin via HTTP"; flow:established,to_server; content:"GET"; http_method; content:"/cs/bux/check.php"; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007898; classtype:trojan-activity; sid:2007898; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:trojan-activity; sid:2007899; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; content:"User-Agent|3a| auctionplusup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007900; classtype:trojan-activity; sid:2007900; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:trojan-activity; sid:2007901; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; nocase; distance:0; content:"0x40000"; distance:0; content:"Url"; nocase; distance:0; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007903; classtype:web-application-attack; sid:2007903; rev:19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; content:"User-Agent|3a| HTTPGETDATA|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007908; classtype:trojan-activity; sid:2007908; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTPFILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007909; classtype:trojan-activity; sid:2007909; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTP_FILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007910; classtype:trojan-activity; sid:2007910; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; content:"User-Agent|3a| Yhrbg|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007912; classtype:trojan-activity; sid:2007912; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"mode="; http_uri; content:"&PartID="; http_uri; content:"&mac="; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; fast_pattern:30,20; http_header; reference:url,doc.emergingthreats.net/2007913; classtype:trojan-activity; sid:2007913; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; content:"quem=dodoi&tit="; depth:15; http_client_body; fast_pattern; content:"&txt="; http_client_body; offset:15; depth:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET TROJAN Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007917; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00 83|"; depth:4; content:""; content:"<"; distance:0; content:""; content:"<"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007918; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 Yumato Reply from server"; flow:established,from_server; content:"YUMATO|0d 0a|1234"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007919; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Explorer)"; flow:to_server,established; content:"User-Agent|3a| Explorer|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:trojan-activity; sid:2007921; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; reference:url,doc.emergingthreats.net/2007922; classtype:trojan-activity; sid:2007922; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; content:"User-Agent|3a| Digital|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007923; classtype:trojan-activity; sid:2007923; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; content:"User-Agent|3a| downloaded|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007924; classtype:trojan-activity; sid:2007924; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; content:"User-Agent|3a| wnames|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2007925; classtype:trojan-activity; sid:2007925; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; content:"User-Agent|3a| UDonkey|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007927; classtype:trojan-activity; sid:2007927; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; content:"User-Agent|3a| InvokeAd|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007928; classtype:trojan-activity; sid:2007928; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; fast_pattern:19,20; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:trojan-activity; sid:2007929; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:trojan-activity; sid:2007935; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:trojan-activity; sid:2007938; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (up)"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&MAC="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007939; classtype:trojan-activity; sid:2007939; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.ili HTTP Checkin"; flow:established,to_server; content:"/ctrl/cnt_boot.php?pgv="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007940; classtype:trojan-activity; sid:2007940; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (_)"; flow:to_server,established; content:"User-Agent|3a| _|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; classtype:trojan-activity; sid:2007942; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP)"; flow:to_server,established; content:"User-Agent|3a| HTTP|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"User-Agent|3a| gh20"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:trojan-activity; sid:2007944; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:trojan-activity; sid:2007945; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:trojan-activity; sid:2007946; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:trojan-activity; sid:2007947; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (double dashes)"; flow:to_server,established; content:"User-Agent|3a| |2d 2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:trojan-activity; sid:2007948; rev:8;) alert udp $HOME_NET any -> $EXTERNAL_NET 6990:6999 (msg:"ET TROJAN Medbod UDP Phone Home Packet"; dsize:<50; content:"ebex"; nocase; pcre:"/\x06\x00?$/"; reference:url,doc.emergingthreats.net/2007949; classtype:trojan-activity; sid:2007949; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; pcre:"/^Host\x3a\x200x[0-9a-f]+\r?$/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Checkin"; flow:established,to_server; content:"/boot.php/boot.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007952; classtype:trojan-activity; sid:2007952; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Install Report"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007953; classtype:trojan-activity; sid:2007953; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Online Report"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007954; classtype:trojan-activity; sid:2007954; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cygo Checkin"; flow:established,to_server; content:"/count.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007955; classtype:trojan-activity; sid:2007955; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"User-Agent|3a| SnoopStick "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; classtype:trojan-activity; sid:2007956; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; reference:url,doc.emergingthreats.net/2007957; classtype:trojan-activity; sid:2007957; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:trojan-activity; sid:2007958; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:trojan-activity; sid:2007959; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:to_server,established; content:"User-Agent|3a| wget 3.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007961; classtype:trojan-activity; sid:2007961; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.zy Checkin Post"; flow:established,to_server; dsize:8; content:"|16 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007966; classtype:trojan-activity; sid:2007966; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Perfect Keylogger FTP Initial Install Log Upload"; flow:established,to_server; content:"Congratulations! Perfect Kelogger was successfully installed"; depth:63; reference:url,doc.emergingthreats.net/2007973; classtype:trojan-activity; sid:2007973; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Perfect Keylogger FTP Log Upload"; flow:established,to_server; content:"Log upload date|3a| "; depth:17; content:"|0d 0a|Time|3a| "; within:40; content:"To view DAT files, please do the following steps|3a|"; distance:0; reference:url,doc.emergingthreats.net/2007974; classtype:trojan-activity; sid:2007974; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:trojan-activity; sid:2007977; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:trojan-activity; sid:2007978; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; reference:url,doc.emergingthreats.net/2007979; classtype:trojan-activity; sid:2007979; rev:5;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:trojan-activity; sid:2007980; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; reference:url,doc.emergingthreats.net/2007981; classtype:trojan-activity; sid:2007981; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; reference:url,doc.emergingthreats.net/2007982; classtype:trojan-activity; sid:2007982; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin"; flow:established,to_server; content:".php?PC="; http_uri; content:"&Data="; http_uri; content:"&Mac="; http_uri; reference:url,doc.emergingthreats.net/2007984; classtype:trojan-activity; sid:2007984; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor|3a|"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; sid:2007987; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo HTTP Pre-Install Checkin"; flow:established,to_server; content:"/app/preinstall.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007989; classtype:trojan-activity; sid:2007989; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo HTTP Post-Install Checkin"; flow:established,to_server; content:"/app/install_done.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007990; classtype:trojan-activity; sid:2007990; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Unknown)"; flow:to_server,established; content:"User-Agent|3a| Unknown|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; classtype:trojan-activity; sid:2007991; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Shark Pass Stealer Email Report"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer "; content:"|0d 0a 0d 0a|Codesoft PW Stealer File "; distance:0; content:"filename=|22|"; distance:0; content:".log|22 0d 0a|"; distance:0; within:20; reference:url,doc.emergingthreats.net/2007992; classtype:trojan-activity; sid:2007992; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:trojan-activity; sid:2007993; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_header; content:!"deezer.com|0d 0a|"; http_header; content:!"googlezip.net"; http_header; content:!"metrics.tbliab.net|0d 0a|"; http_header; content:!"dajax.com|0d 0a|"; http_header; content:!"update.eset.com|0d 0a|"; http_header; content:!".sketchup.com|0d 0a|"; http_header; content:!".yieldmo.com|0d 0a|"; http_header; content:!"ping-start.com|0d 0a|"; http_header; content:!".bluekai.com"; http_header; content:!".stockstracker.com"; http_header; content:".doubleclick.net"; http_header; content:".pingstart.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern:only; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:trojan-activity; sid:2007995; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:trojan-activity; sid:2007996; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; content:"vit="; nocase; content:"&bk="; nocase; content:"&dados="; fast_pattern; nocase; distance:0; reference:url,doc.emergingthreats.net/2007999; classtype:trojan-activity; sid:2007999; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:trojan-activity; sid:2008000; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=i&k="; http_client_body; reference:url,doc.emergingthreats.net/2008003; classtype:trojan-activity; sid:2008003; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=c&s="; http_client_body; reference:url,doc.emergingthreats.net/2008004; classtype:trojan-activity; sid:2008004; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key|3a|"; distance:0; reference:url,doc.emergingthreats.net/2008005; classtype:trojan-activity; sid:2008005; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; content:"/newuser.php?saff="; http_uri; pcre:"/\/newuser\.php\?saff=(\d+|x.+)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet)"; flow:to_server,established; content:"User-Agent|3a| Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:trojan-activity; sid:2008013; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Win95)"; flow:to_server,established; content:"Win95"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Win95/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:trojan-activity; sid:2008015; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:trojan-activity; sid:2008016; rev:3;) alert icmp any any -> any any (msg:"ET TROJAN Philis.J ICMP Sweep (Payload Hello World)"; icode:0; itype:0; dsize:11; content:"Hello,World"; reference:url,vil.nai.com/vil/content/v_141203.htm; reference:url,doc.emergingthreats.net/2008017; classtype:trojan-activity; sid:2008017; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; content:"User-Agent|3a| https|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2008019; classtype:trojan-activity; sid:2008019; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Win32.Socks.s HTTP Post Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"proc=[System Process]|0a|"; http_client_body; reference:url,doc.emergingthreats.net/2008020; classtype:trojan-activity; sid:2008020; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Initial Checkin (ams)"; flow:established,to_server; dsize:3; content:"ams"; reference:url,doc.emergingthreats.net/2008021; classtype:trojan-activity; sid:2008021; rev:3;) alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:trojan-activity; sid:2008022; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET TROJAN Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:trojan-activity; sid:2008023; rev:5;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Logs Parse Command (LOGS1)"; flow:established,from_server; dsize:5; content:"LOGS1"; depth:5; reference:url,doc.emergingthreats.net/2008024; classtype:trojan-activity; sid:2008024; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1)"; flow:established,to_server; content:"|08 00 00 00|LOGS1|5b|"; offset:0; depth:10; reference:url,doc.emergingthreats.net/2008025; classtype:trojan-activity; sid:2008025; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Keepalive (BAGLANTI)"; flow:established,to_server; dsize:9; content:"BAGLANTI?"; reference:url,doc.emergingthreats.net/2008026; classtype:trojan-activity; sid:2008026; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Browse Drive Command (BROWSC)"; flow:established,from_server; dsize:<100; content:"BROWS"; depth:5; content:"|3a|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2008027; classtype:trojan-activity; sid:2008027; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Browse Drive Command Response (metin)"; flow:established,to_server; content:"|00 00|metin|0d 3a|"; offset:2; depth:11; reference:url,doc.emergingthreats.net/2008028; classtype:trojan-activity; sid:2008028; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET TROJAN Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:trojan-activity; sid:2008029; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C nxt Command Response (nxt)"; flow:established,from_server; dsize:16; content:"nxt|09 00 00 00|"; depth:7; offset:0; reference:url,doc.emergingthreats.net/2008030; classtype:trojan-activity; sid:2008030; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound"; flow:established,to_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008031; classtype:trojan-activity; sid:2008031; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound"; flow:established,from_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008032; classtype:trojan-activity; sid:2008032; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject|3a| Passes from"; nocase; fast_pattern; content:"application/octet-stream|3b|"; content:".bin"; distance:0; within:100; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; http_header; fast_pattern:21,20; content:!".iobit.com|0d 0a|"; http_header; content:!".microsoft.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:trojan-activity; sid:2008038; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Egspy Infection Report Email"; flow:established,to_server; content:"FROM\: EgySpy Victim"; content:"TO|3a| EgySpy User"; distance:0; content:"SUBJECT|3a| E g y S p y KeyLogger"; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008039; classtype:trojan-activity; sid:2008039; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Ssol NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008040; classtype:trojan-activity; sid:2008040; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (c \windows)"; flow:to_server,established; content:"User-Agent|3a| c|3a 5c|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (5)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"email="; http_client_body; nocase; content:"&computador="; http_client_body; nocase; distance:0; content:"&nomfile="; http_client_body; nocase; distance:0; content:"&user="; http_client_body; nocase; distance:0; reference:url,doc.emergingthreats.net/2008044; classtype:trojan-activity; sid:2008044; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification)"; flow:to_server,established; content:"User-Agent|3a| RFRudokop "; http_header; reference:url,doc.emergingthreats.net/2008046; classtype:trojan-activity; sid:2008046; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Infection Report via HTTP"; flow:established,to_server; content:"/keylogkontrol/"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; classtype:trojan-activity; sid:2008047; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Version 1.23)"; flow:to_server,established; content:"User-Agent|3a| Version "; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; content:"/image/logo.jpg?queryid="; http_uri; pcre:"/queryid=\d+$/U"; reference:url,doc.emergingthreats.net/2008049; classtype:trojan-activity; sid:2008049; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; content:"Referer|3a| http|3a|//dell"; http_header; content:"Host|3a| "; http_header; content:"myway.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/2008051; classtype:not-suspicious; sid:2008051; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Internet Explorer)"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:!"Host|3a| pnrws.skype.com|0d 0a|"; http_header; content:!"iecvlist.microsoft.com"; http_header; content:!".lenovo.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:trojan-activity; sid:2008052; rev:15;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:trojan-activity; sid:2008066; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:trojan-activity; sid:2008067; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:trojan-activity; sid:2008069; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Win98"; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\n]+Win98/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?v="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&=w"; http_uri; nocase; reference:url,doc.emergingthreats.net/2008071; classtype:trojan-activity; sid:2008071; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\x3a App\d/Hm"; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo HTTP Post-Install Checkin (2)"; flow:established,to_server; content:"?w="; nocase; http_uri; content:"&ucid="; nocase; http_uri; content:"&e=00"; nocase; http_uri; content:"&err="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008082; classtype:trojan-activity; sid:2008082; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; content:"User-Agent|3a| Mozilla-web"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow: to_server,established; content:"Alexa Toolbar"; http_header; fast_pattern:only; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2008085; classtype:trojan-activity; sid:2008085; rev:17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daemonize.ft HTTP Checkin"; flow:established,to_server; content:".php?v="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&u=00"; nocase; http_uri; content:"&s="; nocase; http_uri; content:"&id="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008086; classtype:trojan-activity; sid:2008086; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:trojan-activity; sid:2008087; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?macros="; nocase; http_uri; content:"&botstatus="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008090; classtype:trojan-activity; sid:2008090; rev:5;) alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/\/upnp\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//i"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:5;) alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET SCAN External to Internal UPnP Request udp port 1900"; content:"MSEARCH * HTTP/1.1"; depth:18; content:"MAN|3a| ssdp|3a|"; nocase; distance:0; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008094; classtype:attempted-recon; sid:2008094; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (INSTALLER)"; flow:to_server,established; content:"User-Agent|3a| INSTALLER|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (IEMGR)"; flow:to_server,established; content:"User-Agent|3a| IEMGR|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (GOOGLE)"; flow:to_server,established; content:"User-Agent|3a| GOOGLE|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; file_data; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Tor Get Server Request"; flow:established,to_server; content:"/tor/server/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008113; classtype:policy-violation; sid:2008113; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Tor Get Status Request"; flow:established,to_server; content:"/tor/status/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008115; classtype:policy-violation; sid:2008115; rev:3;) alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; reference:url,doc.emergingthreats.net/2008117; classtype:policy-violation; sid:2008117; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP ACK"; content:"|00 04|"; depth:2; reference:url,doc.emergingthreats.net/2008118; classtype:policy-violation; sid:2008118; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Error Message"; content:"|00 05|"; depth:2; reference:url,doc.emergingthreats.net/2008119; classtype:policy-violation; sid:2008119; rev:3;) alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Username in IRC (XP-..)"; flow:established,to_server; content:"USER XP-"; depth:8; reference:url,doc.emergingthreats.net/2008123; classtype:trojan-activity; sid:2008123; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content:"USA"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Access Count Tracking URL"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC=0"; nocase; http_uri; pcre:"/MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,doc.emergingthreats.net/2008132; classtype:trojan-activity; sid:2008132; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Count Tracking URL"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC=0"; nocase; http_uri; pcre:"/MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,doc.emergingthreats.net/2008133; classtype:trojan-activity; sid:2008133; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/partner/counter/install.php?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2008134; reference:url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403; classtype:trojan-activity; sid:2008134; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:trojan-activity; sid:2008135; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Install Report via HTTP"; flow:established,to_server; content:"/control.php?pcad="; nocase; http_uri; content:"&tarih="; nocase; http_uri; content:"&saat="; nocase; http_uri; content:"&veri="; http_uri; reference:url,doc.emergingthreats.net/2008136; classtype:trojan-activity; sid:2008136; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; content:"User-Agent|3a| WinTouch"; http_header; reference:url,doc.emergingthreats.net/2008141; classtype:trojan-activity; sid:2008141; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:trojan-activity; sid:2008145; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:trojan-activity; sid:2008146; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (RBR)"; flow:to_server,established; content:"User-Agent|3a| RBR|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:trojan-activity; sid:2008148; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008150; classtype:trojan-activity; sid:2008150; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:trojan-activity; sid:2008151; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin URL"; flow:established,to_server; content:"/firstrun.php?product="; nocase; http_uri; content:"&aff="; nocase; http_uri; content:"&update="; nocase; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008152; classtype:trojan-activity; sid:2008152; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:trojan-activity; sid:2008153; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trats.a Post-Infection Checkin"; flow:established,to_server; content:"AID="; http_uri; content:"GUID="; nocase; http_uri; content:"POST"; depth:4; http_method; content:"|0d 0a|SPK|3a| "; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0) WinNT 5.1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008155; classtype:trojan-activity; sid:2008155; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; content:"User-Agent|3a| VIP20"; http_header; nocase; reference:url,doc.emergingthreats.net/2008156; classtype:trojan-activity; sid:2008156; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Otwycal User-Agent (Downing)"; flow:to_server,established; content:"User-Agent|3a| Downing|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008159; classtype:trojan-activity; sid:2008159; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; content:"GET"; http_method; content:"/OvCgi/"; nocase; http_uri; content:"/OpenView5.exe?"; nocase; http_uri; content:"Action=../../"; nocase; fast_pattern:only; content:" HTTP/1"; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; classtype:web-application-attack; sid:2008171; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; content:"varchar("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; content:"exec("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN PRO Search Crawler Probe"; flow:to_server,established; content:"PASS "; nocase; depth:5; content:"crawler"; nocase; within:30; pcre:"/^PASS\s+PRO(-|\s)*search\s+Crawler/smi"; reference:url,sourceforge.net/project/showfiles.php?group_id=149797; reference:url,doc.emergingthreats.net/2008179; classtype:not-suspicious; sid:2008179; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:trojan-activity; sid:2008180; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; content:"User-Agent|3a| MS Internet Explorer|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL"; flow:established,to_server; content:"GET"; nocase; http_method; content:"a="; nocase; http_uri; content:"&k="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&ucid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008182; classtype:trojan-activity; sid:2008182; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (pid - mac)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2008183; classtype:trojan-activity; sid:2008183; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Installer)"; flow:to_server,established; content:"User-Agent|3a| Installer|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Cloaker Related Post Infection Checkin"; flow:established,to_server; content:"/log/proc.php?key="; http_uri; pcre:"/\/log\/proc\.php.key=[a-z0-9]{11}/Ui"; reference:url,doc.emergingthreats.net/2008185; classtype:trojan-activity; sid:2008185; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; content:"User-Agent|3a| DirBuster"; fast_pattern:only; http_header; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:2008186; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Paros Proxy Scanner Detected"; flow:to_server,established; content:"Paros/"; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\n]+Paros\//H"; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; classtype:attempted-recon; sid:2008187; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:trojan-activity; sid:2008189; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:trojan-activity; sid:2008190; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (wmid - ucid)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?a="; nocase; http_uri; content:"&k="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&ucid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008194; classtype:trojan-activity; sid:2008194; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mdodo"; http_header; reference:url,doc.emergingthreats.net/2008195; classtype:trojan-activity; sid:2008195; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| 6dzone|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008196; classtype:trojan-activity; sid:2008196; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:trojan-activity; sid:2008197; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:trojan-activity; sid:2008198; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; content:!"|0d 0a|Q-UA|3a 20|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE vaccine-program.co.kr Related Spyware User-Agent (vaccine)"; flow:established,to_server; content:"User-Agent|3a| vaccine"; http_header; reference:url,doc.emergingthreats.net/2008200; classtype:trojan-activity; sid:2008200; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; content:"User-Agent|3a| Sidebar"; http_header; reference:url,doc.emergingthreats.net/2008201; classtype:trojan-activity; sid:2008201; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:trojan-activity; sid:2008202; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:trojan-activity; sid:2008203; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:trojan-activity; sid:2008204; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:trojan-activity; sid:2008205; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (TestAgent)"; flow:to_server,established; content:"User-Agent|3a| TestAgent|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; content:"User-Agent|3a| SERVER"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; content:"User-Agent|3a| Mozila"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:trojan-activity; sid:2008210; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WinProxy)"; flow:to_server,established; content:"User-Agent|3a| WinProxy|0d 0a|"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; content:"User-Agent|3a| sickness"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (up2dash updater)"; flow:to_server,established; content:"User-Agent|3a| up2dash"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; content:"User-Agent|3a| NSIS_DOWNLOAD"; nocase; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:trojan-activity; sid:2008216; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"to="; http_client_body; depth:3; content:"Optix Pro v"; http_client_body; content:" Server Online"; http_client_body; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008218; classtype:trojan-activity; sid:2008218; rev:5;) alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET TROJAN Looked.P/Gamania/Delf #109/! Style CnC Checkin Response from Server"; flow:established,from_server; dsize:6; content:"#1"; depth:2; content:"/!"; offset:4; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:trojan-activity; sid:2008220; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent inbound (bot)"; flow:to_server,established; content:"User-Agent|3a| bot/"; fast_pattern:only; http_header; nocase; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:2008228; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; content:"User-Agent|3a| Mozilla "; http_header; content:" biz|0d 0a|"; within:15; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; http_uri; reference:url,doc.emergingthreats.net/2008232; classtype:trojan-activity; sid:2008232; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/rpt"; http_uri; content:!"User-Agent|3a| Mozilla"; http_header; content:!".apple.com|0d 0a|"; http_header; content:!".pandora.com|0d 0a|"; http_header; pcre:"/\/rpt\d/U"; reference:url,doc.emergingthreats.net/2008233; classtype:trojan-activity; sid:2008233; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake.Googlebar or Softcash.org Related Post-Infection Checkin"; flow:established,to_server; content:"bl="; http_uri; content:"&cuid="; http_uri; content:"&cnid="; http_uri; content:"&luid="; http_uri; content:"&rnd="; http_uri; reference:url,doc.emergingthreats.net/2008236; classtype:trojan-activity; sid:2008236; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pass Stealer FTP Upload"; flow:established,to_server; content:"INFECTADO|0d 0a|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|0d 0a|Computador"; depth:64; reference:url,doc.emergingthreats.net/2008237; classtype:trojan-activity; sid:2008237; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/InboxLight.aspx"; http_uri; depth:21; reference:url,doc.emergingthreats.net/2008238; classtype:policy-violation; sid:2008238; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Message Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/ReadMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008239; classtype:policy-violation; sid:2008239; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Compose Message Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; nocase; content:"/mail/EditMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008240; classtype:policy-violation; sid:2008240; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Access Full Mode"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/ApplicationMain"; http_uri; reference:url,doc.emergingthreats.net/2008242; classtype:policy-violation; sid:2008242; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN my247eshop.com User-Agent"; flow:established,to_server; content:"User-Agent|3a| EShopee|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008243; classtype:trojan-activity; sid:2008243; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBot Phone Home Traffic"; flow:established,to_server; content:"ind.php?p="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008244; classtype:trojan-activity; sid:2008244; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashout Proxy Bot reg_DST"; flow:to_server,established; content:".php?"; http_uri; content:"lang="; http_uri; content:"&pal="; http_uri; content:"&bay="; http_uri; content:"&gold="; http_uri; content:"&id="; http_uri; content:"¶m="; http_uri; content: "&socksport="; http_uri; content:"&httpport="; http_uri; reference:url,doc.emergingthreats.net/2008248; classtype:trojan-activity; sid:2008248; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Knockbot Proxy Checkin"; flow:to_server,established; content:".php?win="; http_uri; content:"&id="; http_uri; content:"&lip="; http_uri; reference:url,doc.emergingthreats.net/2008249; classtype:trojan-activity; sid:2008249; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin"; flow:established,to_server; content:"/stat.php?func=install&pid="; http_uri; content:"&ip="; http_uri; content:"&landing="; http_uri; reference:url,doc.emergingthreats.net/2008250; classtype:trojan-activity; sid:2008250; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (chek)"; flow:to_server,established; content:"User-Agent|3a| chek|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008253; classtype:trojan-activity; sid:2008253; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (IE)"; flow:to_server,established; content:"User-Agent|3a| IE|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; content:"/envia.php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"praquem="; http_client_body; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:trojan-activity; sid:2008256; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; content:"User-Agent|3a| Nimo Software HTTP"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:trojan-activity; sid:2008257; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (AutoHotkey)"; flow:to_server,established; content:"User-Agent|3a| AutoHotkey"; http_header; threshold:type limit,count 2,track by_src,seconds 300; content:!".ahk4.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008259; classtype:trojan-activity; sid:2008259; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Spambot HTTP Checkin"; flow:established,to_server; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&uptime="; http_uri; content:"&cmd="; http_uri; reference:url,doc.emergingthreats.net/2008261; classtype:trojan-activity; sid:2008261; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WebForm 1)"; flow:to_server,established; content:"User-Agent|3a| WebForm"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (opera)"; flow:to_server,established; content:"User-Agent|3a| opera|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Zilla)"; flow:to_server,established; content:"User-Agent|3a| Zilla|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:trojan-activity; sid:2008267; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DMSpammer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/stat"; http_uri; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header; fast_pattern:37,10; content:"x|9c|"; http_client_body; pcre:"/\/stat\d+\.php/U"; reference:url,doc.emergingthreats.net/2008271; classtype:trojan-activity; sid:2008271; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose Connect to Controller"; flow:established,to_server; dsize:<20; content:"|09 00 00 9a|"; depth:4; content:"|cc|"; distance:3; within:4; content:"|74|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008273; classtype:trojan-activity; sid:2008273; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller"; flow:established,from_server; dsize:9; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008274; classtype:trojan-activity; sid:2008274; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (contains loader)"; flow:to_server,established; content:" loader"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+loader/iH"; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes Winifixer.com Related Checkin URL"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?affid="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&tm="; nocase; http_uri; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008277; classtype:trojan-activity; sid:2008277; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZenoSearch Spyware User-Agent"; flow:to_server,established; content:"User-Agent|3a| ["; http_header; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/iH"; reference:url,doc.emergingthreats.net/2008279; classtype:trojan-activity; sid:2008279; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL"; flow:established,to_server; content:".php?"; http_uri; content:"&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2008280; classtype:trojan-activity; sid:2008280; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; content:"?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; fast_pattern:only; http_uri; content:"&err="; http_uri; reference:url,doc.emergingthreats.net/2008282; classtype:trojan-activity; sid:2008282; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:trojan-activity; sid:2008283; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN RLPacked Binary - Likely Hostile"; flow:from_server,established; content:"|2E 70 61 63 6B 65 64|"; content:"|2E 52 4C 50 61 63 6B|"; within:50; reference:url,rlpack.jezgra.net; reference:url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/; reference:url,doc.emergingthreats.net/2008285; classtype:trojan-activity; sid:2008285; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; content:"User-Agent|3a| AsmUpdater"; http_header; reference:url,doc.emergingthreats.net/2008294; classtype:trojan-activity; sid:2008294; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Gadu-Gadu IM Login Server Request"; flow:established,to_server; content:"/appsvc/appmsg"; http_uri; nocase; content:".asp"; http_uri; nocase; content:"fmnumber="; http_uri; content:"&version="; http_uri; content:"&fmt="; http_uri; content:"Host|3a| appmsg.gadu-gadu."; http_header; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:6;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Client Login Packet"; flowbits:isset,ET.gadu.welcome; flow:established,to_server; dsize:<50; content:"|15 00 00 00|"; depth:4; flowbits:set,ET.gadu.loginsent; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008298; classtype:policy-violation; sid:2008298; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login Failed Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|09 00 00 00 00 00 00 00|"; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008300; classtype:policy-violation; sid:2008300; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Server Available Status Packet"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|02 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008301; classtype:policy-violation; sid:2008301; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Send Message"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008302; classtype:policy-violation; sid:2008302; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Receive Message"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|0a 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008303; classtype:policy-violation; sid:2008303; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Keepalive PING"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|08 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008304; classtype:policy-violation; sid:2008304; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Keepalive PONG"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|07 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008305; classtype:policy-violation; sid:2008305; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Request"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|01 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008306; classtype:policy-violation; sid:2008306; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Details"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008307; classtype:policy-violation; sid:2008307; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Accept"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|06 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008308; classtype:policy-violation; sid:2008308; rev:3;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Begin"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008309; classtype:policy-violation; sid:2008309; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Codesoft PW Stealer Email Report Outbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer"; content:"******STEAM PASS STEALER*******"; distance:0; reference:url,doc.emergingthreats.net/2008310; classtype:trojan-activity; sid:2008310; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; content:"/appscan_fingerprint/mac_address"; fast_pattern:only; nocase; http_uri; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop.AG/Pophot.az HTTP Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:".asp"; http_uri; content:"|3F|ver="; nocase; http_uri; content:"|26|tgid="; nocase; http_uri; content:"|26|address="; nocase; http_uri; pcre:"/address\=([0-9A-F][0-9A-F]-){5}([0-9A-F][0-9A-F])/Ui"; reference:url,doc.emergingthreats.net/2008317; classtype:trojan-activity; sid:2008317; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|2E|php|3F|zone="; http_uri; nocase; content:"|26|name="; nocase; http_uri; content:"|26|bpid="; nocase; http_uri; content:"|26|bnum="; nocase; http_uri; content:"|26|pid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; classtype:trojan-activity; sid:2008318; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Small.wpx or Related Downloader Posting Data"; flow:to_server,established; content:"POST"; http_method; content:"=|22|boturl|22|"; nocase; fast_pattern; content:"=|22|filename|22|"; nocase; content:"=|22|compips|22|"; nocase; content:"=|22|loadername|22|"; nocase; content:"=|22|loaderid|22|"; nocase; content:"=|22|uptime|22|"; nocase; content:"=|22|comptime|22|"; nocase; content:"=|22|winver|22|"; nocase; reference:url,doc.emergingthreats.net/2008319; classtype:trojan-activity; sid:2008319; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET TROJAN Banload Gadu-Gadu CnC Message Detected"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"Uruchomiono trojana, wpisz help aby uzyskac pomoc"; nocase; reference:url,doc.emergingthreats.net/2008320; classtype:trojan-activity; sid:2008320; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.AB or related Post-infection checkin"; flow:established,to_server; content:"/work.php?"; nocase; http_uri; content:"method="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008321; classtype:trojan-activity; sid:2008321; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FraudLoad.aww HTTP CnC Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/instlog/?"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient"; http_header; reference:url,doc.emergingthreats.net/2008322; classtype:trojan-activity; sid:2008322; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; content:"/manda.php?"; nocase; http_uri; content:"ns="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2008324; classtype:trojan-activity; sid:2008324; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Perfect Keylogger FTP Initial Install Log Upload (Null obfuscated)"; flow:established,to_server; content:"C|00|o|00|n|00|g|00|r|00|a|00|t|00|u|00|l|00|a|00|t|00|i|00|o|00|n|00|s|00|!|00| |00|P|00|e|00|r|00|f|00|e|00|c|00|t|00| |00|K|00|e|00|l|00|o|00|g|00|g|00|e|00|r|00| |00|w|00|a|00|s|00| |00|s|00|u|00|c|00|c|00|e|00|s|00|s|00|f|00|u|00|l|00|l|00|y|00| |00|i|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|d|00|"; reference:url,doc.emergingthreats.net/2008327; classtype:trojan-activity; sid:2008327; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN xpsecuritycenter.com Fake AntiVirus GET-Install Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; http_uri; content:"wmid="; http_uri; fast_pattern; nocase; content:"|26|l="; nocase; http_uri; content:"|26|it="; nocase; http_uri; content:"|26|s="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-051910-0118-99&tabid=1; reference:url,doc.emergingthreats.net/2008329; classtype:trojan-activity; sid:2008329; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; content:".php"; http_uri; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; http_header; nocase; content:"from="; http_client_body; nocase; content:"|26|FromMail="; http_client_body; nocase; content:"|26|destino="; http_client_body; nocase; content:"|26|assunto="; http_client_body; nocase; content:"|26|mensagem="; http_client_body; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008331; classtype:trojan-activity; sid:2008331; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin (usually host-domain-lookup.com related)"; flow:established,to_server; content:"/upd/check?"; nocase; http_uri; content:"&fxp="; http_uri; reference:url,doc.emergingthreats.net/2008333; classtype:trojan-activity; sid:2008333; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KLog Nick Keylogger Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"Nick+Key+Ativado"; fast_pattern; reference:url,doc.emergingthreats.net/2008338; classtype:trojan-activity; sid:2008338; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keypack.co.kr Related Trojan User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| keypack"; http_header; reference:url,doc.emergingthreats.net/2008339; classtype:trojan-activity; sid:2008339; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lost Door Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"subject=Lost|20|door|20|"; http_uri; fast_pattern; content:"by|20|OussamiO"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008340; classtype:trojan-activity; sid:2008340; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Themida Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 69 64 61 74 61 20 20|"; content:"|54 68 65 6D 64 61 20 00|"; within:49; reference:url,www.oreans.com/themida.php; reference:url,cwsandbox.org/?page=samdet&id=164533&password=wnnpi; reference:url,doc.emergingthreats.net/2008341; classtype:trojan-activity; sid:2008341; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (123)"; flow:to_server,established; content:"User-Agent|3a| 123|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.Trojan Activity"; flow: to_server,established; content:"/dialer_min/getnum.asp?nip"; http_uri; reference:url,doc.emergingthreats.net/2008345; classtype:trojan-activity; sid:2008345; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"c="; http_uri; content:"&wv="; http_uri; content:"&wd="; http_uri; content:"&ie="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/2008347; classtype:successful-recon-limited; sid:2008347; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; classtype:trojan-activity; sid:2008348; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"User-Agent|3a| AutoIt"; http_header; flowbits:set,ET.autoit.ua; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports"; flow:established,to_server; content:"/friendship/email_thank_you.php?"; http_uri; nocase; content:"folder_id="; http_uri; nocase; content:"¶ms_count="; http_uri; nocase; content:"&nick_name="; http_uri; nocase; content:"&user_email="; http_uri; nocase; content:"&user_uin="; http_uri; nocase; content:"&friend_nickname="; http_uri; nocase; content:"&friend_contact="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008351; classtype:policy-violation; sid:2008351; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:trojan-activity; sid:2008353; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (angel)"; flow:to_server,established; content:"User-Agent|3a| angel|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:trojan-activity; sid:2008356; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Steam Steal0r"; flow:established,to_server; content:"info=Steam|20|Steal0r|20|"; http_uri; fast_pattern; content:"&acc="; http_uri; content:"&pw="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008360; classtype:trojan-activity; sid:2008360; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Accessing)"; flow:to_server,established; content:"User-Agent|3a| Accessing|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; content:"User-Agent|3a| bsqlbf"; fast_pattern:only; http_header; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ISMYIE)"; flow:to_server,established; content:"User-Agent|3a| ISMYIE|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Donkeyp2p Update Detected"; flow:established,to_server; content:"GET"; nocase; http_method; content:"donkeyp2p.php"; http_uri; content:"?kind="; http_uri; content:"&args="; http_uri; content:"&ver="; http_uri; content:"&uniq="; http_uri; content:"&dllver="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008364; classtype:trojan-activity; sid:2008364; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Playtech Downloader Online Gaming Checkin"; flow:to_server,established; content:"/client_update_urls.php"; http_uri; content:"User-Agent|3a| Playtech "; http_header; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:trojan-activity; sid:2008365; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET TROJAN LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to_server; content:"POST "; nocase; depth:5; content:".php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; nocase; reference:url,doc.emergingthreats.net/2008366; classtype:trojan-activity; sid:2008366; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; nocase; http_method; content:"?mail="; http_uri; content:"subject=Keylogger"; fast_pattern:only; http_uri; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; classtype:trojan-activity; sid:2008368; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; content:"/RewardInstall.php?mac=0"; http_uri; content:"&hdd="; http_uri;content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:trojan-activity; sid:2008370; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; content:"User-Agent|3a| Connector v"; http_header; reference:url,doc.emergingthreats.net/2008372; classtype:trojan-activity; sid:2008372; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:trojan-activity; sid:2008375; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegHelper Installation"; flow:established,to_server; content:"GET"; nocase; http_method; content:"start="; http_uri; content:"&Edition="; http_uri; content:"&RHRTVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008376; classtype:trojan-activity; sid:2008376; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virtumod/Agent.ufv/Virtumonde Get Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"adm="; nocase; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2008377; classtype:trojan-activity; sid:2008377; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ErrCode)"; flow:established,to_server; content:"User-Agent|3a| ErrCode"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; classtype:trojan-activity; sid:2008378; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor Checkin (kgen_up)"; flow:to_server,established; content:"kgen_up.int"; http_uri; content:"fxp="; http_uri; pcre:"/fxp=[a-z0-9]{60}/Ui"; reference:url,doc.emergingthreats.net/2008379; classtype:trojan-activity; sid:2008379; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (1)"; flow:established,to_server; content:"/cd/cd.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/cd\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008382; classtype:trojan-activity; sid:2008382; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (2)"; flow:established,to_server; content:"/cd/un2.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un2\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008383; classtype:trojan-activity; sid:2008383; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; content:"/cd/un.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008384; classtype:trojan-activity; sid:2008384; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob HTTP Checkin"; flow:established,to_server; content:"/confirm.php?aid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008386; classtype:trojan-activity; sid:2008386; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (svchost)"; flow:established,to_server; content:"User-Agent|3a| svchost"; nocase; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2)"; flow:established,to_server; content:"/?&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; reference:url,doc.emergingthreats.net/2008393; classtype:trojan-activity; sid:2008393; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3)"; flow:established,to_server; content:"&ns="; http_uri; content:"&id="; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008395; classtype:trojan-activity; sid:2008395; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"confirm.php?sid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008396; classtype:trojan-activity; sid:2008396; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fullspace.cc or Related Checkin (1)"; flow:established,to_server; content:"/config.php?ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&ras="; nocase; http_uri; content:"&verfull="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008397; classtype:trojan-activity; sid:2008397; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fullspace.cc or Related Checkin (2)"; flow:established,to_server; content:"/register."; nocase; http_uri; content:"?id="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&connect="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"ip="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008398; classtype:trojan-activity; sid:2008398; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; content:"User-Agent|3a| clk_jdfhid|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008399; classtype:trojan-activity; sid:2008399; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; content:"User-Agent|3a| ReadFileURL|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:trojan-activity; sid:2008402; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Obitel trojan calling home"; flow:established,to_server; content:"/gate.php?hash="; http_uri; content:"/gate.php?hash="; content:" HTTP/1."; distance:8; within:16; reference:url,www.abuse.ch/?p=143; reference:url,doc.emergingthreats.net/2008405; classtype:trojan-activity; sid:2008405; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY RemoteSpy.com Upload Detect"; flow:established,to_server; content:"POST"; http_method; content:"upload.php"; http_uri; content:"Host|3a| www.remotespy.com"; http_header; reference:url,doc.emergingthreats.net/2008406; classtype:trojan-activity; sid:2008406; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; file_data; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; file_data; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; classtype:web-application-attack; sid:2008408; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; classtype:web-application-attack; sid:2008409; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; content:"m="; http_uri; content:"&a="; http_uri; content:"&r="; http_uri;content:"&os="; http_uri; content:"00000"; http_uri; pcre:"/\/s_\d\d_\d+\?/U"; pcre:"/&os=[0-9a-z]{40}/Ui"; reference:url,doc.emergingthreats.net/2008412; classtype:trojan-activity; sid:2008412; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; content:"User-Agent|3a| PcPcUpdater"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:9;) alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; classtype:attempted-recon; sid:2008414; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"User-Agent|3a| Cisco-torch"; http_header; fast_pattern:12,10; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:established,to_server; content:"GET"; http_method; content:"/antidisestablishmentarianism"; http_uri; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; classtype:attempted-recon; sid:2008416; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET"; http_method; content:"?http|3A|//www.google."; nocase; content:"User-Agent|3A 20|Python-httplib2"; http_header; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:trojan-activity; sid:2008419; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!".newsinc.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Inet_read)"; flow:established,to_server; content:"User-Agent|3a| Inet_read"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (CFS Agent)"; flow:established,to_server; content:"User-Agent|3a| CFS Agent"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; content:"User-Agent|3a| CFS_DOWNLOAD"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:trojan-activity; sid:2008425; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:url,doc.emergingthreats.net/bin/view/Main/2008426; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; content:"User-Agent|3a| AdiseExplorer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; content:"User-Agent|3a| HTTP Downloader"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (HttpDownload)"; flow:established,to_server; content:"User-Agent|3a| HttpDownload"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Dialer.buv Sending Information Home"; flow:established,to_server; content:"/exit.php?if="; http_uri; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; reference:url,doc.emergingthreats.net/2008430; classtype:trojan-activity; sid:2008430; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:trojan-activity; sid:2008431; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Razy Variant Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:"&ComPut="; http_uri; fast_pattern; content:!"User-Agent|3a| "; http_header; content:!"360safe.com"; http_header; reference:url,doc.emergingthreats.net/2008433; classtype:trojan-activity; sid:2008433; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d0a|Host|3a20|"; fast_pattern; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; classtype:trojan-activity; sid:2008434; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"Act="; nocase; http_uri; content:"&pgm"; nocase; http_uri; pcre:"/\+UNION\+SELECT/Ui"; reference:bugtraq,30259; reference:url,milw0rm.com/exploits/6087; reference:url,doc.emergingthreats.net/2008439; classtype:web-application-attack; sid:2008439; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Download App)"; flow:established,to_server; content:"User-Agent|3a| Download App"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Dialer Variant"; flow:established,to_server; content:"GET"; nocase; http_method; content:"icp="; http_uri; content:"&id_site="; http_uri; content:"&dl_tracker"; http_uri; content:"&connection_type="; http_uri; content:"&asked_mdl_id="; http_uri; content:"&dialer="; http_uri; reference:url,doc.emergingthreats.net/2008441; classtype:trojan-activity; sid:2008441; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; within:20; http_client_body; content:"&affid="; http_client_body; content:"="; within:5; http_client_body; content:"&subid="; http_client_body; content:"=="; within:5; http_client_body; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:trojan-activity; sid:2008442; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; depth:2; http_client_body; content:"&i="; distance:0; content:"&v="; distance:0; content:"&os="; distance:0; content:"&s="; distance:0; content:"&h="; distance:0; content:"&d="; distance:0; content:"&panic"; distance:0; fast_pattern; content:"&ie="; distance:0; content:"&input="; distance:0; content:"&c="; distance:0; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:9;) alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3;) alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger.ane Checkin"; flow:established,to_server; content:"Secret Client|00 00 00|"; depth:18; reference:url,doc.emergingthreats.net/2008449; classtype:trojan-activity; sid:2008449; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Donbot Report to CnC"; flow:established,to_server; content:"HASH|3a 20|"; depth:6; content:"|0d 0a|ID|3a 20|"; distance:0; content:"|0d 0a|Session|31 20|"; distance:0; content:"|0d 0a|RBL|3a 20|"; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; reference:url,doc.emergingthreats.net/2008451; classtype:trojan-activity; sid:2008451; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (tomcat)"; flow:to_server,established; content:"Authorization|3a| Basic dG9tY2F0"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008454; classtype:web-application-attack; sid:2008454; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (manager)"; flow:to_server,established; content:"Authorization|3a| Basic bWFuYWdlcjp"; fast_pattern:15,17; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008455; classtype:web-application-attack; sid:2008455; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:trojan-activity; sid:2008456; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; content:"User-Agent|3a| FavUpdate"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:trojan-activity; sid:2008457; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent (AutoDL\/1.0)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| AutoDL/1.0|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008458; classtype:trojan-activity; sid:2008458; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (hacker)"; flow:established,to_server; content:"User-Agent|3a| hacker"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rouge Security Software Win32.BHO.egw"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; nocase; content:"affid="; http_uri; nocase; content:"subid="; http_uri; nocase; content:"guid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"key="; http_uri; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; reference:url,doc.emergingthreats.net/2008461; classtype:trojan-activity; sid:2008461; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; content:"User-Agent|3a| ieguideupdate"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (adsntD)"; flow:established,to_server; content:"User-Agent|3a| adsntD"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:7;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; reference:url,doc.emergingthreats.net/2008465; classtype:trojan-activity; sid:2008465; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; content:"DECLARE "; nocase; http_uri; content:"CHAR("; nocase; http_uri; content:"CAST("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008467; classtype:attempted-admin; sid:2008467; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HotLan.C Spambot C&C download command"; flow:established,from_server; content:"|3B|URL|3A|http|3A 2F 2F|"; pcre:"/\x0D\x0A\x0D\x0ASLP\x3A\d+\x3BMOD\x3A[\S\x3B]+\x3BURL\x3Ahttp\x3A\x2F{2}[^\x3B]+\x3BSRV\x3Aupd\x3B/"; reference:url,doc.emergingthreats.net/2008471; classtype:trojan-activity; sid:2008471; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; content:"POST"; http_method; content:"/nvserver"; http_uri; content:"cmd="; http_client_body; content:"¶ms="; http_client_body; content:"Netviewer Proxy Test"; http_client_body; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:trojan-activity; sid:2008474; rev:4;) alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; fast_pattern:only; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload POST Checkin (dados)"; flow:established,to_server; content: "POST"; nocase; http_method; content:"PC="; http_client_body; nocase; content: "&USER="; http_client_body; nocase; content:"&HASH="; http_client_body; nocase; content:"&DADOS="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008477; classtype:trojan-activity; sid:2008477; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 2227 (msg:"ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin"; flow:established,to_server; dsize:32; content:"|00 c0 a8 01 f4 6f 00 00 00|"; depth:12; content:"|00 00 00 05 01 28 0a|"; reference:url,doc.emergingthreats.net/2008481; classtype:trojan-activity; sid:2008481; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN thespybot.com installation download detected"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php"; http_uri; content:"m="; http_uri; content:"&ydf="; http_uri; content:"&e="; http_uri; content:"&w="; http_uri; content:"&t="; http_uri; content:"&apz="; http_uri; reference:url,doc.emergingthreats.net/2008482; classtype:trojan-activity; sid:2008482; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Win32/Antivirus2008 CnC Beacon"; flow:established,to_server; content:"nick="; http_uri; nocase; content:"&group="; http_uri; nocase; content:"&os="; http_uri; content:"User-Agent|3a 20|Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008483; classtype:trojan-activity; sid:2008483; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:trojan-activity; sid:2008484; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:trojan-activity; sid:2008485; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (NULL)"; flow:established,to_server; content:"User-Agent|3a| NULL"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; content:"login="; nocase; http_uri; content:"&brokerid="; nocase; http_uri; content:"&extlogin="; nocase; http_uri; content:"&autosize="; nocase; http_uri; content:"&icp="; nocase; http_uri; content:"&id_site="; nocase; http_uri; content:"&dl_tracker="; nocase; http_uri; content:"&connection_type="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008490; classtype:trojan-activity; sid:2008490; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:trojan-activity; sid:2008493; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ieagent)"; flow:established,to_server; content:"User-Agent|3a| ieagent"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (antispyprogram)"; flow:established,to_server; content:"User-Agent|3a| antispyprogram"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; content:"/?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; http_uri; content:"&a="; http_uri; content:"&l="; http_uri; content:"&addt"; reference:url,doc.emergingthreats.net/2008502; classtype:trojan-activity; sid:2008502; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent|3a| ZCOM"; http_header; classtype:policy-violation; sid:2008503; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; content:"User-Agent|3a| SUiCiDE"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp"; http_uri; content:"id="; content:"&tit="; content:"&comm"; content:"Run|2B|Successfully"; fast_pattern; reference:url,doc.emergingthreats.net/2008506; classtype:trojan-activity; sid:2008506; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state|3a| 0 - zombie is ready for control"; depth:38; reference:url,doc.emergingthreats.net/2008507; classtype:trojan-activity; sid:2008507; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; content:"User-Agent|3a| |5c|xa2|5c|xa2HttpClient|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; content:"?type=scanner&pin="; http_uri; content:"&lnd="; http_uri; reference:url,doc.emergingthreats.net/2008511; classtype:trojan-activity; sid:2008511; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (C slash)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|"; http_header; content:!"|5c|Citrix|5c|"; http_header; content:!"|5c|Panda S"; nocase; http_header; content:!"|5c|Mapinfo"; http_header; nocase; threshold:type limit,count 2,track by_src,seconds 300; classtype:trojan-activity; sid:2008512; rev:18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; content:"User-Agent|3a| msIE"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; content:"User-Agent|3a| AVP200"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; fast_pattern; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:trojan-activity; sid:2008515; rev:7;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; fast_pattern:only; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008517; classtype:attempted-user; sid:2008517; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; fast_pattern:only; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008518; classtype:attempted-user; sid:2008518; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"appdata="; http_uri; nocase; content:"hd="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"computador="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008519; classtype:trojan-activity; sid:2008519; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; reference:url,doc.emergingthreats.net/2008521; classtype:trojan-activity; sid:2008521; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stpage Checkin (nomodem)"; flow:established,to_server; content:"/nomodem.php"; http_uri; content:"if="; http_uri; content:"&am="; http_uri; content:"&cl={"; http_uri; content:"&id="; http_uri; reference:url,doc.emergingthreats.net/2008522; classtype:trojan-activity; sid:2008522; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_header; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:trojan-activity; sid:2008523; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virusremover2008.com Checkin"; flow:to_server,established; content:"GET"; depth:3; http_method; nocase; content:"?action="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr="; http_uri; content:"User-Agent|3a| Statistican"; http_header; reference:url,doc.emergingthreats.net/2008527; classtype:trojan-activity; sid:2008527; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent|3a| core-project/1.0"; fast_pattern:12,11; http_header; classtype:web-application-activity; sid:2008529; rev:6;) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET TROJAN Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0"; content:"User-Agent|3a| Mozilla"; content:"4.75 [en] (Windows NT 5.0"; http_header; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; content:"User-Agent|3a| sqlmap"; fast_pattern:only; http_header; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bravix Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?wmid="; http_uri; content:"&l="; http_uri; content:"&it="; http_uri; content:"&s="; http_uri; reference:url,doc.emergingthreats.net/2008541; classtype:trojan-activity; sid:2008541; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (winlogon)"; flow:established,to_server; content:"User-Agent|3a| winlogon"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Social-bos.biz related trojan checkin (trackid=hex)"; flow:established,to_server; content:".php?trackid="; http_uri; content:"706172616D3D636D64266C616E673D"; http_uri; reference:url,doc.emergingthreats.net/2008545; classtype:trojan-activity; sid:2008545; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"Antivir"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+\;\sAntivir/H"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:trojan-activity; sid:2008549; rev:16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Buzus Checkin"; flow:established,to_server; content:".php?guid_bot="; http_uri; content:"&ver_bot="; http_uri; content:"&stat_bot="; http_uri; reference:url,doc.emergingthreats.net/2008550; classtype:trojan-activity; sid:2008550; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banito/Agent.pb Pass Stealer Email Report Outbound"; flow:established,to_server; content:"Subject|3a| Vip Passw0rds|0d 0a 0d 0a|Victim Name |3a| "; content:"|0d 0a|######## ICQ PASSWORDS ########"; distance:0; within:70; reference:url,doc.emergingthreats.net/2008551; classtype:trojan-activity; sid:2008551; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a|\\WINDOWS\\system32\\"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; content:"User-Agent|3a| iWin "; http_header; reference:url,doc.emergingthreats.net/2008558; classtype:trojan-activity; sid:2008558; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; content:"/aanval/flex/AanvalFlex"; http_uri; nocase; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; classtype:misc-activity; sid:2008561; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; content:"User-Agent|3a| Internet HTTP"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Crypt.nc Checkin"; flow:to_server,established; content:".php?l"; http_uri; content:"&rvz1="; http_uri; fast_pattern:only; content:"&rvz2="; http_uri; content:!"Accept|3a|"; http_header; pcre:"/&rvz1=\d+&rvz2=\d+?$/U"; reference:url,doc.emergingthreats.net/2008567; classtype:trojan-activity; sid:2008567; rev:4;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; fast_pattern:only; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008568; classtype:attempted-recon; sid:2008568; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection to Ossec WUI"; flow:established,to_server; content:"/ossec/"; http_uri; content:"js/calendar-setup.js"; http_uri; reference:url,www.ossec.net; reference:url,doc.emergingthreats.net/2008569; classtype:misc-activity; sid:2008569; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Unencrypted Connection to BASE Console"; flow:to_server,established; content:"/base_main.php"; http_uri; reference:url,base.secureideas.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008570; classtype:misc-activity; sid:2008570; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; http_uri; threshold: type threshold, track by_dst, count 2, seconds 5; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch)"; flow:established,to_server; dsize:<40; content:"viruscatch|00|"; reference:url,doc.emergingthreats.net/2008573; classtype:trojan-activity; sid:2008573; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; fast_pattern:only; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:4;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious Scan"; content:"From|3A 20 22|sipvicious"; threshold: type limit, count 1, seconds 10, track by_src; reference:url,blog.sipvicious.org; reference:url,doc.emergingthreats.net/2008578; classtype:attempted-recon; sid:2008578; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/ld/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT find_node request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:24; content:"6|3a|target20|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; distance:20; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008582; classtype:policy-violation; sid:2008582; rev:6;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT nodes reply"; content:"d1|3a|rd2|3a|id20|3a|"; nocase; depth:12; content:"5|3a|nodes"; nocase; distance:20; within:7; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008583; classtype:policy-violation; sid:2008583; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT get_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; offset:12; content:"9|3a|info_hash20|3a|"; nocase; distance:20; within:14; content:"e1|3a|q9|3a|get_peers1|3a|"; nocase; distance:20; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008584; classtype:policy-violation; sid:2008584; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT announce_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:14; content:"e1|3a|q13|3a|announce_peer1|3a|"; nocase; distance:55; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008585; classtype:policy-violation; sid:2008585; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (compatible, Viper 4.0)|0d 0a|"; http_header; fast_pattern:37,12; reference:url,doc.emergingthreats.net/2008586; classtype:trojan-activity; sid:2008586; rev:7;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET P2P Ares Server Connection"; flow:established,to_server; dsize:<70; content:"r|be|bloop|00|dV"; content:"Ares|00 0a|"; distance:16; reference:url,aresgalaxy.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008591; classtype:policy-violation; sid:2008591; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; content:"?nid_mac="; http_uri; content:"&nid_os_ver=Windows"; http_uri;content:"&nid_ie_ver="; http_uri; reference:url,doc.emergingthreats.net/2008592; classtype:trojan-activity; sid:2008592; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ezday.co.kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; content:"User-Agent|3a| Ezshop"; http_header; reference:url,doc.emergingthreats.net/2008594; classtype:trojan-activity; sid:2008594; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; content:"User-Agent|3a| RLMultySocket|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4;) alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|sivus-discovery@vopsecurity.org"; offset:110; fast_pattern; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008610; classtype:attempted-recon; sid:2008610; rev:4;) alert tcp $EXTERNAL_NET 2240 -> $HOME_NET 1024: (msg:"ET P2P SoulSeek P2P Login Response"; flow:from_server,established; content:"|5c 01 00 00 01 00 00 00|"; depth:8; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008611; classtype:policy-violation; sid:2008611; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Lance show.php catid SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/show.php?catid="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32027/; reference:url,www.milw0rm.com/exploits/6605; reference:url,doc.emergingthreats.net/2008614; classtype:web-application-attack; sid:2008614; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Real Estate Manager realestate-index.php cat_id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"realestate-index.php?"; nocase; uricontent:"&cat_id="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/32049/; reference:url,www.milw0rm.com/exploits/6599; reference:url,doc.emergingthreats.net/2008615; classtype:web-application-attack; sid:2008615; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pilot Online Training Solution news_read.php id SQL Injection"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/news_read.php?id="; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/Advisories/31969/; reference:url,www.milw0rm.com/exploits/6613; reference:url,doc.emergingthreats.net/2008616; classtype:web-application-attack; sid:2008616; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Wikto Scan"; flow:to_server,established; content:"GET"; http_method; content:"/.adSensePostNotThereNoNobook"; http_uri; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?version="; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&fid="; nocase; http_uri; content:"&vpc="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008623; classtype:trojan-activity; sid:2008623; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?fid="; nocase; http_uri; content:"&kid="; nocase; http_uri; content:"&cnt="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&kw="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008624; classtype:trojan-activity; sid:2008624; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows U) Pando/1.xx)"; flow:established,to_server; content:" Pando/"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (Windows|3b| U) Pando/"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008625; classtype:policy-violation; sid:2008625; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report"; flow:established,to_server; content:"?stage=setup&application="; http_uri; content:"&campaign="; http_uri; content:"&code="; http_uri; content:"&version="; http_uri; reference:url,doc.emergingthreats.net/2008626; classtype:trojan-activity; sid:2008626; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; content:"GET"; http_method; content:"/etc/passwd?format="; http_uri; content:">"; nocase; http_uri; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009647; classtype:web-application-attack; sid:2009647; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Hubscript PHPInfo Attempt"; flow:to_server,established; content:"/patch/manage/phpinfo.php"; nocase; http_uri; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009650; classtype:web-application-attack; sid:2009650; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/startmodules.inc.php?"; nocase; http_uri; content:"lang_file="; nocase; http_uri; content:"../"; reference:bugtraq,34538; reference:url,milw0rm.com/exploits/8446; reference:url,doc.emergingthreats.net/2009652; classtype:web-application-attack; sid:2009652; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/linking.page.php?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,29205; reference:url,milw0rm.com/exploits/5611; reference:url,doc.emergingthreats.net/2009658; classtype:web-application-attack; sid:2009658; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/footer.inc.php?"; nocase; uricontent:"settings[footer]="; nocase; content:"../"; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009659; classtype:web-application-attack; sid:2009659; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/header.inc.php?"; nocase; uricontent:"settings[header]="; nocase; content:"../"; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009660; classtype:web-application-attack; sid:2009660; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/artmedic_print.php?"; nocase; uricontent:"date="; nocase; content:"../"; reference:url,secunia.com/advisories/28927/; reference:url,milw0rm.com/exploits/5116; reference:url,doc.emergingthreats.net/2009661; classtype:web-application-attack; sid:2009661; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/statuswml.cgi?"; nocase; http_uri; content:"ping"; nocase; http_uri; pcre:"/ping\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ui"; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; classtype:web-application-attack; sid:2009670; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/users/payment.php?"; nocase; uricontent:"order_id="; nocase; uricontent:""; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt; reference:url,doc.emergingthreats.net/2009671; classtype:web-application-attack; sid:2009671; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rating/rate.php?"; nocase; uricontent:"id="; nocase; uricontent:""; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009672; classtype:web-application-attack; sid:2009672; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rating/postcomments.php?"; nocase; uricontent:"id="; nocase; uricontent:""; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009673; classtype:web-application-attack; sid:2009673; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Guestbook guestbook.php mes_id SQL Injection attempt"; flow:to_server,established; content:"GET"; http_method; content:"/guestbook.php?"; nocase; http_uri; content:"mes_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.milw0rm.com/exploits/9197; reference:url,doc.emergingthreats.net/2009674; classtype:web-application-attack; sid:2009674; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; content:"/cgi-bin/|3B|"; fast_pattern:only; nocase; http_uri; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/Ui"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/html.php?"; nocase; uricontent:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009690; classtype:web-application-attack; sid:2009690; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/html2.php?"; nocase; uricontent:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009691; classtype:web-application-attack; sid:2009691; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Navipromo related update"; flow:established,to_client; content:"|0d 0a|Server|3a| lighttpd|0d 0a 0d 0a|_SYSTEM_DIR_"; reference:url,doc.emergingthreats.net/2009694; classtype:trojan-activity; sid:2009694; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009698; classtype:attempted-dos; sid:2009698; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood UDP"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009699; classtype:attempted-dos; sid:2009699; rev:1;) alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; fast_pattern; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2009700; classtype:attempted-dos; sid:2009700; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (INet)"; flow:established,to_server; content:"User-Agent|3a| INet|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Hupigon.dkwt Related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"htm?mac="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&id="; http_uri; pcre:"/\?mac=[0-9]*?&os=[a-z]*?&ver=[0-9]{8}&id=/Ui"; reference:url,doc.emergingthreats.net/2009704; classtype:trojan-activity; sid:2009704; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET"; nocase; http_method; content:"shortname="; nocase; http_uri; content:"os="; nocase; http_uri; content:"v="; nocase; http_uri; content:"browsers="; nocase; http_uri; content:"readable="; nocase; http_uri; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; classtype:trojan-activity; sid:2009705; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/scripts/setup.php"; nocase; content:"|0D 0A 0D 0A|token="; content:"host"; content:"phpinfo|25|28|25|29|25|3b"; nocase; within:64; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009709; classtype:web-application-attack; sid:2009709; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; uricontent:"/scripts/setup.php"; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Runner/Bublik Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; nocase; content:!"User-Agent|3a|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:trojan-activity; sid:2009711; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:trojan-activity; sid:2009712; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; content:""; fast_pattern:only; nocase; http_uri; flags:!R; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; content:"onmouseover="; fast_pattern:only; nocase; http_uri; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; classtype:web-application-attack; sid:2009715; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ECShop user.php order_sn Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/user.php?"; nocase; uricontent:"act=order_query"; nocase; uricontent:"order_sn="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34733; reference:url,milw0rm.com/exploits/8548; reference:url,doc.emergingthreats.net/2009716; classtype:web-application-attack; sid:2009716; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AvailScript Photo Album Script pics.php sid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/pics.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31085; reference:url,milw0rm.com/exploits/6411; reference:url,doc.emergingthreats.net/2009718; classtype:web-application-attack; sid:2009718; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/comments.php?"; nocase; uricontent:"templates_dir="; nocase; content:"../"; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009719; classtype:web-application-attack; sid:2009719; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/comments.php?"; nocase; uricontent:"template="; nocase; content:"../"; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009720; classtype:web-application-attack; sid:2009720; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/bin/qte_init.php?"; nocase; uricontent:"qte_root="; nocase; content:"../"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009724; classtype:web-application-attack; sid:2009724; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config.php?"; nocase; uricontent:"inc_dir="; nocase; content:"../"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009726; classtype:web-application-attack; sid:2009726; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/SearchResults.php?"; nocase; uricontent:"where="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2008-6242; reference:bugtraq,32039; reference:url,milw0rm.com/exploits/6922; reference:url,doc.emergingthreats.net/2009727; classtype:web-application-attack; sid:2009727; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/config.php?"; nocase; uricontent:"newlang=kacper"; nocase; uricontent:"languages[kacper][file]="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8504; reference:bugtraq,34636; reference:url,doc.emergingthreats.net/2009728; classtype:web-application-attack; sid:2009728; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/cms_detect.php?"; nocase; uricontent:"include="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8503; reference:bugtraq,34634; reference:url,doc.emergingthreats.net/2009729; classtype:web-application-attack; sid:2009729; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JobHut browse.php pk Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/browse.php?"; nocase; http_uri; content:"pk="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34300; reference:url,milw0rm.com/exploits/8318; reference:url,doc.emergingthreats.net/2009730; classtype:web-application-attack; sid:2009730; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VS Panel showcat.php Cat_ID Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/showcat.php?"; nocase; uricontent:"Cat_ID="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34648; reference:url,milw0rm.com/exploits/8506; reference:url,doc.emergingthreats.net/2009731; classtype:web-application-attack; sid:2009731; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 212cafe Board view.php qID Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/view.php?"; nocase; http_uri; content:"qID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,31426; reference:url,xforce.iss.net/xforce/xfdb/45428; reference:url,milw0rm.com/exploits/6578; reference:url,doc.emergingthreats.net/2009734; classtype:web-application-attack; sid:2009734; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS X-BLC get_read.php section Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/get_read.php?"; nocase; uricontent:"section="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8258; reference:bugtraq,34197; reference:url,doc.emergingthreats.net/2009738; classtype:web-application-attack; sid:2009738; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DMXReady Multiple Products upload_image_category.asp cid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/upload_image_category.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33253; reference:url,xforce.iss.net/xforce/xfdb/47959; reference:url,milw0rm.com/exploits/7767; reference:url,doc.emergingthreats.net/2009739; classtype:web-application-attack; sid:2009739; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter projects.php idp Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/reports/projects.php?"; nocase; http_uri; content:"idp="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009740; classtype:web-application-attack; sid:2009740; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter contacts.php idc Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/reports/contacts.php?"; nocase; http_uri; content:"idc="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009741; classtype:web-application-attack; sid:2009741; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BibCiter users.php idu Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/reports/users.php?"; nocase; http_uri; content:"idu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009742; classtype:web-application-attack; sid:2009742; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/website.php?"; nocase; uricontent:"page="; nocase; content:"../"; reference:bugtraq,30176; reference:url,milw0rm.com/exploits/6037; reference:url,doc.emergingthreats.net/2009743; classtype:web-application-attack; sid:2009743; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SuperNews valor.php noticia Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/valor.php?"; nocase; uricontent:"noticia="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8255; reference:bugtraq,34195; reference:url,doc.emergingthreats.net/2009744; classtype:web-application-attack; sid:2009744; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/pmscript.php?"; nocase; http_uri; content:"with="; nocase; http_uri; content:"../"; reference:url,milw0rm.com/exploits/8549; reference:bugtraq,34734; reference:url,doc.emergingthreats.net/2009745; classtype:web-application-attack; sid:2009745; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qte_web.php?"; nocase; uricontent:"qte_web_path="; nocase; content:"../"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009746; classtype:web-application-attack; sid:2009746; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/articles.php?"; nocase; http_uri; content:"aIDS="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2008-4371; reference:url,secunia.com/advisories/31816/; reference:url,milw0rm.com/exploits/6409; reference:url,doc.emergingthreats.net/2009747; classtype:web-application-attack; sid:2009747; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD"; http_method; nocase; content:".php?action="; http_uri; nocase; content:"&uid="; nocase; http_uri; content:"&locale="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&build="; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; classtype:trojan-activity; sid:2009750; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:40,20; nocase; http_header; content:"verint="; nocase; http_client_body; content:"&wv="; nocase; http_client_body; content:"&report="; nocase; http_client_body; content:"&abbr="; nocase; http_client_body; content:"&pid="; http_client_body; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad; reference:url,doc.emergingthreats.net/2009751; classtype:trojan-activity; sid:2009751; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound"; flow:to_server,established; content:".php?"; http_uri; content:"4x4x4x4x4x6x"; fast_pattern:only; http_uri; reference:url,doc.emergingthreats.net/2009752; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; classtype:trojan-activity; sid:2009752; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/include/unverified.inc.php?"; nocase; http_uri; content:"template="; nocase; http_uri; content:"../"; reference:bugtraq,27964; reference:url,juniper.net/security/auto/vulnerabilities/vuln27964.html; reference:url,www.exploit-db.com/exploits/5179/; reference:url,doc.emergingthreats.net/2009761; classtype:web-application-attack; sid:2009761; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/portfolio/css.php?"; nocase; http_uri; content:"theme="; nocase; http_uri; content:"../"; reference:cve,CVE-2008-6265; reference:bugtraq,32218; reference:url,vupen.com/english/advisories/2008/3070; reference:url,milw0rm.com/exploits/7065; reference:url,doc.emergingthreats.net/2009764; classtype:web-application-attack; sid:2009764; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:trojan-activity; sid:2009765; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; content:"User-Agent|3a| IEToolbar"; http_header; reference:url,doc.emergingthreats.net/2009766; classtype:trojan-activity; sid:2009766; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; content:"User-Agent|3a| SQL Power Injector"; fast_pattern:only; http_header; content:"Security tool (Make sure it is used with the administrator consent)"; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Downloader Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern:only; content:"&b="; nocase; http_uri; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/iU"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- php5x.php"; flow:to_server,established; content:"GET"; http_method; content:"/libraries/joomla/utilities/compat/php50x.php"; nocase; http_uri; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009778; classtype:attempted-recon; sid:2009778; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- ldap.php"; flow:to_server,established; content:"GET"; http_method; content:"/libraries/joomla/client/ldap.php"; nocase; http_uri; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009779; classtype:attempted-recon; sid:2009779; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- content.php"; flow:to_server,established; content:"GET"; http_method; content:"/libraries/joomla/html/html/content.php"; nocase; http_uri; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009780; classtype:attempted-recon; sid:2009780; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Microgaming Install Program|0d 0a|"; nocase; http_header; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:trojan-activity; sid:2009783; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Community CMS view.php article_id Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/view.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,34303; reference:url,milw0rm.com/exploits/8323; reference:url,doc.emergingthreats.net/2009787; classtype:web-application-attack; sid:2009787; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/examples/tbs_us_examples_0view.php?"; nocase; uricontent:"script="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8667; reference:url,vupen.com/english/advisories/2009/1304; reference:url,doc.emergingthreats.net/2009789; classtype:web-application-attack; sid:2009789; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/arch.php?"; nocase; uricontent:"arch="; nocase; content:"../"; reference:url,milw0rm.com/exploits/8680; reference:bugtraq,34968; reference:url,secunia.com/advisories/35059/; reference:url,doc.emergingthreats.net/2009790; classtype:web-application-attack; sid:2009790; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GS Real Estate Portal email.php AgentID Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/email.php?"; nocase; http_uri; content:"AgentID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,juniper.net/security/auto/vulnerabilities/vuln32307.html; reference:url,xforce.iss.net/xforce/xfdb/46638; reference:url,milw0rm.com/exploits/7117; reference:url,doc.emergingthreats.net/2009791; classtype:web-application-attack; sid:2009791; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VidShare Pro listing_video.php catid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/listing_video.php?"; nocase; uricontent:"catid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8737; reference:bugtraq,35033; reference:url,doc.emergingthreats.net/2009794; classtype:web-application-attack; sid:2009794; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/managePerson.php?"; nocase; http_uri; content:"personId="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35032; reference:url,milw0rm.com/exploits/8738; reference:url,doc.emergingthreats.net/2009795; classtype:web-application-attack; sid:2009795; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:trojan-activity; sid:2009796; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Carbonite Installer|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&serial="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"User-Agent|3a| WinInetHTTP|0d 0a|"; http_header; nocase; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,doc.emergingthreats.net/2009804; classtype:trojan-activity; sid:2009804; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0 (SPGK)|0d 0a|"; fast_pattern:24,8; nocase; http_header; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; depth:3; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"IpAddr="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&RegistryChanged="; nocase; http_uri; content:"&RegistryUpdate="; nocase; http_uri; content:"&NewInstallation="; nocase; http_uri; content:"&utilMissing="; nocase; http_uri; content:"&Basedir="; nocase; http_uri; content:"&BundleID="; nocase; http_uri; content:"&InitInstalled="; nocase; http_uri; content:"&Interval="; nocase; http_uri; content:"&LastInitRun="; nocase; http_uri; content:"&LastInitVer="; nocase; http_uri; content:"&LastSrngRun="; nocase; http_uri; content:"&LastUtilRun="; nocase; http_uri; content:"&SrngInstalled="; nocase; http_uri; content:"&SrngVer="; nocase; http_uri; content:"&UtilInstalled="; nocase; http_uri; content:"&UtilVer="; nocase; http_uri; content:"&PCID"; nocase; http_uri; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; classtype:trojan-activity; sid:2009807; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Virut - GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; nocase; http_uri; content:"&lastid="; nocase; http_uri; content:"&Version"; nocase; http_uri; content:"&smartpic="; nocase; http_uri; content:"&rand="; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut; reference:url,www.avast.com/eng/win32-virut.html; reference:url,free.avg.com/66558; reference:url,www.threatexpert.com/threats/virus-win32-virut-ce.html; reference:url,doc.emergingthreats.net/2009808; classtype:trojan-activity; sid:2009808; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.0.4506.2152|3b| .NET CLR 3.5.30729)|0d0a|"; fast_pattern:37,13; http_header; reference:url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter; reference:url,doc.emergingthreats.net/2009810; classtype:trojan-activity; sid:2009810; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp?mac="; nocase; http_uri; content:"&xxx="; nocase; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009811; classtype:trojan-activity; sid:2009811; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:trojan-activity; sid:2009812; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"|0d 0a|r="; nocase; content:"&f="; nocase; content:"&p="; nocase; content:"&u="; nocase; content:"&i="; nocase; content:"&g="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2009813; classtype:trojan-activity; sid:2009813; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_cmdshell"; nocase; http_uri; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_servicecontrol"; nocase; http_uri; pcre:"/(start|stop|continue|pause|querystate)/Ui"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; reference:url,doc.emergingthreats.net/2009816; classtype:web-application-attack; sid:2009816; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"sp_adduser"; nocase; http_uri; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; classtype:web-application-attack; sid:2009817; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_reg"; nocase; http_uri; pcre:"/xp_reg(read|write|delete)/Ui"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; classtype:web-application-attack; sid:2009818; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_fileexist"; nocase; http_uri; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; classtype:web-application-attack; sid:2009819; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_enumerrorlogs"; nocase; http_uri; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; classtype:web-application-attack; sid:2009820; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_readerrorlogs"; nocase; http_uri; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; classtype:web-application-attack; sid:2009822; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; content:"EXEC"; nocase; http_uri; content:"xp_"; nocase; http_uri; content:"_enum"; nocase; http_uri; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/Ui"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; classtype:web-application-attack; sid:2009823; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; classtype:trojan-activity; sid:2009824; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 2.1|3b| SV3)|0d0a|"; fast_pattern:47,15; http_header; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis"; flow:established,to_server; content:"User-Agent|3a| pavuk"; http_header; nocase; reference:url,pavuk.sourceforge.net/about.html; reference:url,doc.emergingthreats.net/2009827; classtype:attempted-recon; sid:2009827; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?SoftName="; nocase; http_uri; content:"&SoftVersion="; nocase; http_uri; content:"&UserIP"; nocase; http_uri; content:"&Mac"; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html; reference:url,www.threatexpert.com/threats/w32-virut-i.html; reference:url,doc.emergingthreats.net/2009829; classtype:trojan-activity; sid:2009829; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"&ver="; http_client_body; content:"&MAX_EXECUTE_TIME="; http_client_body; fast_pattern; content:"&RELOAD_JOBS="; http_client_body; content:"&BROWSER_DELAY="; http_client_body; content:"&CONTROL_PAGE"; http_client_body; content:"&lastlogcount"; http_client_body; content:"&min_captchasize"; http_client_body; content:"&botid"; http_client_body; content:"®_NAME"; http_client_body; content:"&botlogin="; http_client_body; reference:url,doc.emergingthreats.net/2009830; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FWombot.A; classtype:trojan-activity; sid:2009830; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"User-Agent|3a| RichCasino"; nocase; http_header; reference:url,doc.emergingthreats.net/2009831; classtype:trojan-activity; sid:2009831; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; reference:url,doc.emergingthreats.net/2009832; classtype:attempted-recon; sid:2009832; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WITOOL SQL Injection Scan"; flow:to_server,established; content:"union+select"; http_raw_uri; content:"select+user"; http_raw_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|3b| MyIE2"; fast_pattern:48,20; http_header; threshold: type threshold, track by_dst, count 2, seconds 30; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; classtype:attempted-recon; sid:2009833; rev:11;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_artportal&portalid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009834; classtype:web-application-attack; sid:2009834; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_artportal&portalid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009835; classtype:web-application-attack; sid:2009835; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_artportal&portalid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009836; classtype:web-application-attack; sid:2009836; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/search.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009838; classtype:web-application-attack; sid:2009838; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET"; http_method; content:"/archive.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009839; classtype:web-application-attack; sid:2009839; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/base/Archive.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009840; classtype:web-application-attack; sid:2009840; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET"; http_method; content:"/comments.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009841; classtype:web-application-attack; sid:2009841; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/base/Comments.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009842; classtype:web-application-attack; sid:2009842; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET"; http_method; content:"/news.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009843; classtype:web-application-attack; sid:2009843; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/base/News.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009844; classtype:web-application-attack; sid:2009844; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/base/SendFriend.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009845; classtype:web-application-attack; sid:2009845; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz num_questions.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/num_questions.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009849; classtype:web-application-attack; sid:2009849; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/answers.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009850; classtype:web-application-attack; sid:2009850; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php order_number Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/answers.php?"; nocase; http_uri; content:"order_number="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009851; classtype:web-application-attack; sid:2009851; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score_web.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/high_score_web.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009852; classtype:web-application-attack; sid:2009852; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz results_table_web.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/results_table_web.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009853; classtype:web-application-attack; sid:2009853; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/question.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009854; classtype:web-application-attack; sid:2009854; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php order_number Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/question.php?"; nocase; http_uri; content:"order_number="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009855; classtype:web-application-attack; sid:2009855; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score.php quiz Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/high_score.php?"; nocase; http_uri; content:"quiz="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009856; classtype:web-application-attack; sid:2009856; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; file_data; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; distance:0; content:"SceneURL"; nocase; distance:0; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| ERRN200"; http_header; reference:url,doc.emergingthreats.net/2009861; classtype:trojan-activity; sid:2009861; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC AddNew Command"; flow:established,to_server; dsize:<120; content:"[S]ADDNEW|7c|"; depth:10; reference:url,doc.emergingthreats.net/2009862; classtype:trojan-activity; sid:2009862; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC Hello Command"; flow:established,to_server; dsize:12; content:"[S]hello["; depth:9; reference:url,doc.emergingthreats.net/2009863; classtype:trojan-activity; sid:2009863; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible)|0d 0a|"; http_header; fast_pattern:18,20; threshold: type limit, count 2, track by_src, seconds 300; content:!".hddstatus.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/activities/workflow-activities.php?"; nocase; uricontent:"include_directory="; nocase; pcre:"/include_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2008-3399; reference:url,milw0rm.com/exploits/6131; reference:url,xforce.iss.net/xforce/xfdb/43992; reference:url,doc.emergingthreats.net/2009870; classtype:web-application-attack; sid:2009870; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/_functions.php?"; nocase; uricontent:"GLOBALS[prefix]="; nocase; content:"../"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009875; classtype:web-application-attack; sid:2009875; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/doku.php?"; nocase; http_uri; content:"config_cascade[main][default][]="; nocase; http_uri; content:"../"; reference:bugtraq,35095; reference:url,milw0rm.com/exploits/8781; reference:url,doc.emergingthreats.net/2009876; classtype:web-application-attack; sid:2009876; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/mypage.php?"; nocase; http_uri; content:"trg="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32467; reference:bugtraq,31986; reference:url,milw0rm.com/exploits/6874; reference:url,doc.emergingthreats.net/2009878; classtype:web-application-attack; sid:2009878; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?"; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:trojan-activity; sid:2009880; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection"; flow:to_server,established; content:"/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/9593/; reference:url,doc.emergingthreats.net/2009881; classtype:web-application-attack; sid:2009881; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; flow:established,to_server; content:"User-Agent|3a| Mysqloit"; fast_pattern:only; http_header; reference:url,code.google.com/p/mysqloit/; classtype:attempted-recon; sid:2009882; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected"; flow:established,to_server; content:"+UNION+select+'BENCHMARK(10000000,SHA1(1))"; http_uri; fast_pattern:only; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009883; classtype:attempted-recon; sid:2009883; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectButler RFI attempt "; flow:established,to_server; uricontent:"/pda_projects.php?offset=http\:"; nocase; reference:url,www.sans.org/top20/; reference:url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt; reference:url,doc.emergingthreats.net/2009887; classtype:web-application-attack; sid:2009887; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) "; flow:established,to_server; content:"/includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009888; classtype:web-application-attack; sid:2009888; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) "; flow:established,to_server; content:"/classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009889; classtype:web-application-attack; sid:2009889; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) "; flow:established,to_server; content:"/classes/class.thcsm_user.php?is_path=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009890; classtype:web-application-attack; sid:2009890; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) "; flow:established,to_server; content:"/modul/mod.users.php?thCMS_root=http|3a|"; nocase; http_uri; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009891; classtype:web-application-attack; sid:2009891; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt "; flow:established,to_server; uricontent:"/home.php?page=http\:"; nocase; reference:url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt; reference:url,doc.emergingthreats.net/2009892; classtype:web-application-attack; sid:2009892; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration"; flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; classtype:policy-violation; sid:2009895; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Winwebsec User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| InstallNotify/1.0"; http_header; reference:url,www.f-secure.com/sw-desc/rogue_w32_winwebsec.shtml; reference:url,blogs.technet.com/mmpc/archive/2009/05/13/msrt-tackles-another-rogue.aspx; reference:url,doc.emergingthreats.net/2009896; classtype:trojan-activity; sid:2009896; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/latestposts.php?"; nocase; http_uri; content:"forumspath="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009904; classtype:web-application-attack; sid:2009904; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/forum.php?"; nocase; http_uri; content:"GLOBALS[UTE][__tplCollection][a][file]="; nocase; http_uri; content:"../"; reference:url,www.exploit-db.com/exploits/8841/; reference:url,secunia.com/advisories/35299/; reference:url,doc.emergingthreats.net/2009905; classtype:web-application-attack; sid:2009905; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Online Grades parents.php ADD Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/parents/parents.php?"; nocase; uricontent:"func=mailto"; nocase; uricontent:"ADD="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35304/; reference:url,milw0rm.com/exploits/8844; reference:url,doc.emergingthreats.net/2009906; classtype:web-application-attack; sid:2009906; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009913; classtype:web-application-attack; sid:2009913; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009914; classtype:web-application-attack; sid:2009914; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"INSER"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009915; classtype:web-application-attack; sid:2009915; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009916; classtype:web-application-attack; sid:2009916; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009917; classtype:web-application-attack; sid:2009917; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009919; classtype:web-application-attack; sid:2009919; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009920; classtype:web-application-attack; sid:2009920; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009921; classtype:web-application-attack; sid:2009921; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009922; classtype:web-application-attack; sid:2009922; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009924; classtype:web-application-attack; sid:2009924; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/function_core.php?"; nocase; uricontent:"web_root="; nocase; content:"../"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009926; classtype:web-application-attack; sid:2009926; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/templates/layout_lyrics.php?"; nocase; uricontent:"web_root="; nocase; content:"../"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009928; classtype:web-application-attack; sid:2009928; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?option=com_album&"; nocase; http_uri; content:"Itemid=128&"; nocase; http_uri; content:"target="; nocase; http_uri; reference:url,www.securityfocus.com/bid/36441/info; reference:url,www.exploit-db.com/exploits/9706/; reference:url,doc.emergingthreats.net/2009929; classtype:web-application-attack; sid:2009929; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| User Agent"; http_header; reference:url,doc.emergingthreats.net/2009930; classtype:trojan-activity; sid:2009930; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/OpenSiteAdmin/pages/pageHeader.php?"; http_uri; nocase; content:"="; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36445/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009931; classtype:web-application-attack; sid:2009931; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt"; flow:established,to_server; uricontent:"/libraries/database.php?"; nocase; uricontent:"="; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36411/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009932; classtype:web-application-attack; sid:2009932; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt"; flow:established,to_server; content:"/com_koesubmit/koesubmit.php?"; nocase; http_uri; content:"="; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36447/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009933; classtype:web-application-attack; sid:2009933; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_moofaq/includes/file_includer.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,35259; reference:url,www.exploit-db.com/exploits/8898/; reference:url,doc.emergingthreats.net/2009934; classtype:web-application-attack; sid:2009934; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Frontis aps_browse_sources.php source_class Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/bin/aps_browse_sources.php?"; nocase; http_uri; content:"source_class="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35369/; reference:url,milw0rm.com/exploits/8900; reference:url,doc.emergingthreats.net/2009935; classtype:web-application-attack; sid:2009935; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger plog-download.php checked Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-download.php?"; nocase; uricontent:"checked[]="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,30547; reference:url,xforce.iss.net/xforce/xfdb/44233; reference:url,milw0rm.com/exploits/6204; reference:url,doc.emergingthreats.net/2009936; classtype:web-application-attack; sid:2009936; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt"; flow:established,to_server; content:"/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?"; nocase; http_uri; content:"Command=FileUpload"; nocase; http_uri; content:"/configuration.php"; nocase; http_uri; content:"CurrentFolder="; nocase; http_uri; reference:url,www.securityfocus.com/bid/27472/info; reference:url,doc.emergingthreats.net/2009937; classtype:web-application-attack; sid:2009937; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009938; classtype:web-application-attack; sid:2009938; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009939; classtype:web-application-attack; sid:2009939; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009940; classtype:web-application-attack; sid:2009940; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009941; classtype:web-application-attack; sid:2009941; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_surveymanager"; nocase; http_uri; content:"task=editsurvey&"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009942; classtype:web-application-attack; sid:2009942; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009943; classtype:web-application-attack; sid:2009943; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009944; classtype:web-application-attack; sid:2009944; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009945; classtype:web-application-attack; sid:2009945; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009946; classtype:web-application-attack; sid:2009946; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_jbudgetsmagic"; nocase; http_uri; content:"view=mybudget&"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009947; classtype:web-application-attack; sid:2009947; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".pl~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".inc~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".conf~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; classtype:web-application-attack; sid:2009952; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".aspx~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; classtype:web-application-attack; sid:2009953; rev:11;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009956; classtype:web-application-attack; sid:2009956; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009957; classtype:web-application-attack; sid:2009957; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009958; classtype:web-application-attack; sid:2009958; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009959; classtype:web-application-attack; sid:2009959; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_facebook"; nocase; http_uri; content:"view=student"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009960; classtype:web-application-attack; sid:2009960; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009961; classtype:web-application-attack; sid:2009961; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009962; classtype:web-application-attack; sid:2009962; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009963; classtype:web-application-attack; sid:2009963; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009964; classtype:web-application-attack; sid:2009964; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_sportfusion"; nocase; http_uri; content:"view=teamdetail"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009965; classtype:web-application-attack; sid:2009965; rev:4;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P KuGoo P2P Connection"; dsize:<30; content:"|64|"; depth:1; content:"|70|"; distance:5; content:"|50 37|"; distance:4; reference:url,koogoo.com; reference:url,doc.emergingthreats.net/2009966; classtype:policy-violation; sid:2009966; rev:3;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request(2)"; dsize:35; content:"|e4 20|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009968; classtype:policy-violation; sid:2009968; rev:4;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; classtype:policy-violation; sid:2009969; rev:4;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; classtype:policy-violation; sid:2009972; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/id_menu\x3d.+DELETE.+FROM/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009977; classtype:web-application-attack; sid:2009977; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; distance:0; nocase; http_uri; content:"INSERT"; distance:0; nocase; http_uri; content:"INTO"; distance:0; nocase; http_uri; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/id_menu\x3d.+UPDATE.+SET/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009979; classtype:web-application-attack; sid:2009979; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"SELECT"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/SELECT.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009981; classtype:attempted-user; sid:2009981; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"DELETE"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/DELETE.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009982; classtype:attempted-user; sid:2009982; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INSERT"; within:200; nocase; content:"INTO"; distance:0; nocase; pcre:"/INSERT.+INTO/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009983; classtype:attempted-user; sid:2009983; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UPDATE"; within:200; nocase; content:"SET"; distance:0; nocase; pcre:"/UPDATE.+SET/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009984; classtype:attempted-user; sid:2009984; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UNION"; within:200; nocase; content:"SELECT"; distance:0; nocase; pcre:"/UNION.+SELECT/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009985; classtype:attempted-user; sid:2009985; rev:2;) alert udp $HOME_NET 8247 -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape UDP Session"; threshold: type both, count 2, seconds 60, track by_src; reference:url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx; reference:url,doc.emergingthreats.net/2009986; classtype:trojan-activity; sid:2009986; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp)"; flow:established,to_server; content:"User-Agent|3a| MzApp|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2009988; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt"; flow:established,to_server; content:"/profiles/html/simpleSearch.do?name="; nocase; http_uri; pcre:"/name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload)/Ui"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022945.html; reference:url,doc.emergingthreats.net/2009990; classtype:web-application-attack; sid:2009990; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (MyIE/1.0)"; flow:established,to_server; content:"User-Agent|3a| MyIE/"; http_header; reference:url,doc.emergingthreats.net/2009991; classtype:trojan-activity; sid:2009991; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; content:"User-Agent|3a| VaccineKiller"; http_header; reference:url,doc.emergingthreats.net/2009993; classtype:trojan-activity; sid:2009993; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN User-Agent (STEROID Download)"; flow:established,to_server; content:"User-Agent|3a| STEROID Download|0D 0A|"; nocase; http_header; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; classtype:trojan-activity; sid:2009994; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009995; classtype:trojan-activity; sid:2009995; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Smilebox Spyware Download"; flow:established,to_server; content:"GET"; http_method; content:"/smilebox/SmileboxInstaller.exe"; nocase; http_uri; reference:url,www.smilebox.com/info/privacy.html; reference:url,doc.emergingthreats.net/2009998; classtype:policy-violation; sid:2009998; rev:9;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:3;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:4;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_start_job attempt"; flow:to_server,established; content:"sp_start_job"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2010004; classtype:attempted-user; sid:2010004; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:11;) alert udp $HOME_NET any -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape P2P streaming media"; content:"POST / HTTP/1."; depth:64; content:"Oshtcp-streamtype|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,doc.emergingthreats.net/2010008; classtype:policy-violation; sid:2010008; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/unathenticated/"; content:"/unauthenticated//..%01/..%01/..%01/"; reference:url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin; reference:url,doc.emergingthreats.net/2010009; classtype:web-application-attack; sid:2010009; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010014; classtype:web-application-attack; sid:2010014; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010015; classtype:web-application-attack; sid:2010015; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010016; classtype:web-application-attack; sid:2010016; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010017; classtype:web-application-attack; sid:2010017; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010018; classtype:web-application-attack; sid:2010018; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/manager/html"; nocase; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"Authorization|3a| Basic"; http_header; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SHOP-INET show_cat2.php grid Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/show_cat2.php?"; nocase; uricontent:"grid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,33471; reference:url,milw0rm.com/exploits/7874; reference:url,secunia.com/advisories/33660/; reference:url,doc.emergingthreats.net/2010020; classtype:web-application-attack; sid:2010020; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RS-CMS rscms_mod_newsview.php key Parameter Processing Remote SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/rscms_mod_newsview.php?"; nocase; uricontent:"key="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/9000; reference:url,vupen.com/english/advisories/2009/1658; reference:url,doc.emergingthreats.net/2010021; classtype:web-application-attack; sid:2010021; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptWeb a_index.php CodigoDisciplina Parameter Remote SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/a_index.php?"; nocase; http_uri; content:"CodigoDisciplina="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:cve,CVE-2009-2152; reference:url,en.securitylab.ru/nvd/381723.php; reference:url,milw0rm.com/exploits/8954; reference:url,doc.emergingthreats.net/2010022; classtype:web-application-attack; sid:2010022; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/locms/smarty.php?"; nocase; http_uri; content:"cwd="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010023; classtype:web-application-attack; sid:2010023; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/locms/smarty.php?"; nocase; http_uri; content:"cwd="; nocase; http_uri; pcre:"/cwd=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010024; classtype:web-application-attack; sid:2010024; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/dm-albums/template/album.php?"; nocase; uricontent:"SECURITY_FILE="; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010025; classtype:web-application-attack; sid:2010025; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TorrentTrader Classic delreq.php categ Parameter Sql Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/torrenttrader109/delreq.php?"; nocase; uricontent:"categ="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/8958; reference:bugtraq,35369; reference:url,doc.emergingthreats.net/2010026; classtype:web-application-attack; sid:2010026; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php jahr Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/newsscript.php?"; nocase; http_uri; content:"m=archive"; nocase; http_uri; content:"jahr="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/7741; classtype:web-application-attack; sid:2010028; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"/dhost/modules"; nocase; uricontent:"dconserv.dlm="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload)/Ui"; reference:url,www.securityfocus.com/bid/36567/info; reference:url,doc.emergingthreats.net/2010031; classtype:web-application-attack; sid:2010031; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt"; flow:established,to_server; content:"INTO"; nocase; http_uri; content:"OUTFILE"; nocase; http_uri; pcre:"/INTO.+OUTFILE/Ui"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010037; classtype:web-application-attack; sid:2010037; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; file_data; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; distance:0; content:"SetSuperBuddy"; nocase; distance:0; content:"//"; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:13;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010040; classtype:web-application-attack; sid:2010040; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010041; classtype:web-application-attack; sid:2010041; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010042; classtype:web-application-attack; sid:2010042; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010043; classtype:web-application-attack; sid:2010043; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; content:"/index.php?option=com_cbresumebuilder"; nocase; http_uri; content:"task=group_members"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010044; classtype:web-application-attack; sid:2010044; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010045; classtype:web-application-attack; sid:2010045; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010046; classtype:web-application-attack; sid:2010046; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010047; classtype:web-application-attack; sid:2010047; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; content:"/index.php?option=com_soundset"; nocase; http_uri; content:"showcategory"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010048; classtype:web-application-attack; sid:2010048; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/2010050; classtype:trojan-activity; sid:2010050; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download ws.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010051; classtype:trojan-activity; sid:2010051; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; nocase; http_uri; classtype:trojan-activity; sid:2010055; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download InternetAntivirusPro.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/InternetAntivirus"; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010061; classtype:trojan-activity; sid:2010061; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus"; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010062; classtype:trojan-activity; sid:2010062; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SafeFighter Fake Scanner Installation in Progress"; flow:established,to_server; content:"/safefighter.php"; nocase; http_uri; content:"User-Agent|3a| NSIS"; nocase; http_header; reference:url,doc.emergingthreats.net/2010065; classtype:trojan-activity; sid:2010065; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(? $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; content:!"upload.wikimedia.org"; http_uri; pcre:"/\.jpg$/U"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; flowbits:set,ET.Hiloti; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2010071; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UPTDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010073; classtype:web-application-attack; sid:2010073; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010074; classtype:web-application-attack; sid:2010074; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010075; classtype:web-application-attack; sid:2010075; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+DELETE.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010076; classtype:web-application-attack; sid:2010076; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; distance:0; nocase; http_uri; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; distance:0; content:"SET"; distance:0; nocase; http_uri; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; http_uri; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/Ui"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INTO"; within:200; nocase; content:"OUTFILE"; distance:0; nocase; pcre:"/INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010081; classtype:attempted-user; sid:2010081; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; content:"/awstats/awstats.pl?config="; nocase; http_uri; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert| $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; content:"ALTER"; nocase; http_uri; pcre:"/ALTER\ +(database|procedure|table|column)/Ui"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; classtype:web-application-attack; sid:2010084; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; content:"DROP"; nocase; http_uri; pcre:"/DROP\ +(database|procedure|table|column)/Ui"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; classtype:web-application-attack; sid:2010085; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; content:"CREATE"; nocase; http_uri; pcre:"/CREATE\ +(database|procedure|table|column|directory)/Ui"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; classtype:web-application-attack; sid:2010086; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL Injection Scanner"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"SQL"; http_header; nocase; content:"Inject"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3A[^\n]+sql[^\n]+inject/Hmi"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; classtype:attempted-recon; sid:2010087; rev:10;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner"; flow:established,to_server; content:"User|2D|Agent|3A|"; http_header; content:"web"; http_header; nocase; content:"scan"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3A[^\n]+web[^\n]+scan/Hmi"; reference:url,doc.emergingthreats.net/2010088; classtype:attempted-recon; sid:2010088; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan"; flow:established,to_server; content:"User|2D|Agent|3A|"; http_header; content:"security"; http_header; nocase; content:"scan"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3A[^\n]+security[^\n]+scan/Hmi"; reference:url,doc.emergingthreats.net/2010089; classtype:attempted-recon; sid:2010089; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/top_graph_header.php?"; nocase; uricontent:"config[library_path]="; nocase; pcre:"/config\[library_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14030; reference:url,doc.emergingthreats.net/2010097; classtype:web-application-attack; sid:2010097; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Telephone Directory 2008 edit1.php code Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/edit1.php?"; nocase; uricontent:"action=confirm_data"; nocase; uricontent:"code="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,29614; reference:url,xforce.iss.net/xforce/xfdb/42972; reference:url,milw0rm.com/exploits/5764; reference:url,doc.emergingthreats.net/2010098; classtype:web-application-attack; sid:2010098; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/modules/qas/aviso.php?"; nocase; uricontent:"codigo="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,milw0rm.com/exploits/9249; reference:url,xforce.iss.net/xforce/xfdb/51985; reference:url,doc.emergingthreats.net/2010121; classtype:web-application-attack; sid:2010121; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php idneu Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/newsscript.php?"; nocase; http_uri; content:"m=archive"; nocase; http_uri; content:"idneu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010122; classtype:web-application-attack; sid:2010122; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php newsid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/newsscript.php?"; nocase; http_uri; content:"mailto=ok"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010123; classtype:web-application-attack; sid:2010123; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/load_lang.php?"; nocase; uricontent:"_SERWEB[configdir]="; nocase; pcre:"/_SERWEB\[configdir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010124; classtype:web-application-attack; sid:2010124; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/main_prepend.php?"; nocase; uricontent:"_SERWEB[functionsdir]="; nocase; pcre:"/_SERWEB\[functionsdir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010125; classtype:web-application-attack; sid:2010125; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/timesheet.php?"; nocase; uricontent:"config[include_dir]="; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010127; classtype:web-application-attack; sid:2010127; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; content:"GeT"; http_method; content:"HttP"; depth:200; content:"|0d 0a|HoST|3a| "; content:"UsER-AgENt|3a| |0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010129; classtype:trojan-activity; sid:2010129; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010131; classtype:web-application-attack; sid:2010131; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010132; classtype:web-application-attack; sid:2010132; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; classtype:web-application-attack; sid:2010133; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; classtype:web-application-attack; sid:2010134; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010135; classtype:web-application-attack; sid:2010135; rev:3;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Sme32)"; flow: established, to_server; content:"User-Agent|3a| Sme32|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010137; classtype:trojan-activity; sid:2010137; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; content:"cike.php?fid="; nocase; http_uri; content: "&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; classtype:trojan-activity; sid:2010138; rev:3;) alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; content:"|00 00|"; depth:2; content:"|05|AZVER|01|"; distance:5; within:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; classtype:policy-violation; sid:2010139; rev:5;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (2)"; dsize:94; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff 00 00 00 00 02 05 21|"; distance:8; within:11; content:"|00 00 00 00 00 00|"; distance:25; within:6; content:"|00 00|"; distance:20; within:2; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010141; classtype:policy-violation; sid:2010141; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (3)"; dsize:80; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|02 05 21 04|"; distance:4; within:4; threshold:type limit, track by_dst, count 10, seconds 600; reference:url,doc.emergingthreats.net/2010142; classtype:policy-violation; sid:2010142; rev:4;) alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (4)"; dsize:<300; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff|"; distance:8; within:4; reference:url,doc.emergingthreats.net/2010143; classtype:policy-violation; sid:2010143; rev:3;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; depth:12; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; classtype:policy-violation; sid:2010144; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/advanced/workingSet.jsp"; nocase; http_uri; content:"operation=add"; nocase; http_uri; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010145; classtype:web-application-attack; sid:2010145; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt"; flow:established,to_server; content:"/host-manager/html/add"; nocase; http_uri; content:"method="; nocase; http_uri; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/29502/info; reference:cve,2008-1947; reference:url,doc.emergingthreats.net/2010146; classtype:web-application-attack; sid:2010146; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/search.5.html?search="; nocase; http_uri; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36700/info; reference:url,doc.emergingthreats.net/2010147; classtype:web-application-attack; sid:2010147; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface HTTP Request (2)"; flow:established,to_server; content:"?action="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d/U"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface C&C availability check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/achcheck.php"; nocase; http_uri; flowbits:set,ET.koobfacecheck; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010151; classtype:trojan-activity; sid:2010151; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Koobface C&C availability check successful"; flowbits:isset,ET.koobfacecheck; flow:established,from_server; content:"|0d 0a 0d 0a|ACH_OK"; nocase; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010152; classtype:trojan-activity; sid:2010152; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface fetch C&C command detected"; flow:established, to_server; content:".php"; nocase; http_uri; content:"f=0&a="; fast_pattern; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; content:"&c_tg="; content:"&c_nl="; content:"&c_fu="; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010153; classtype:trojan-activity; sid:2010153; rev:5;) alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; content:"User-Agent|3a| XXX|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nanspy Bot Checkin"; flow:established,to_server; content:"HEAD"; nocase; http_method; content:"/bbcount.php?action="; http_uri; content:"&uid="; http_uri; content:"&locale="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2010158; classtype:trojan-activity; sid:2010158; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; content:"/utility.cgi?testType="; nocase; http_uri; content:"IP="; nocase; http_uri; content:"|7C 7C|"; http_uri; pcre:"/\x7C\x7C.+[a-z]/Ui"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; classtype:attempted-admin; sid:2010159; rev:4;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; file_data; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46; reference:url,doc.emergingthreats.net/2010163; classtype:trojan-activity; sid:2010163; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daonol C&C Communication"; flow:established,to_server; content:"/x/?0"; http_uri; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; classtype:trojan-activity; sid:2010164; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:to_server,established; content:".php?adv=adv"; http_uri; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; distance:0; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+\)ver\d+\r?$/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010167; classtype:web-application-attack; sid:2010167; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"FileName="; nocase; pcre:"/Filename\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010168; classtype:web-application-attack; sid:2010168; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010169; classtype:web-application-attack; sid:2010169; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; uricontent:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010170; classtype:web-application-attack; sid:2010170; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010171; classtype:web-application-attack; sid:2010171; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010172; classtype:web-application-attack; sid:2010172; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010173; classtype:web-application-attack; sid:2010173; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"Dictionary="; nocase; pcre:"/Dictionary\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010174; classtype:web-application-attack; sid:2010174; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"Scoring="; nocase; pcre:"/Scoring\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010175; classtype:web-application-attack; sid:2010175; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; uricontent:"MessagePart="; nocase; pcre:"/MessagePart\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010176; classtype:web-application-attack; sid:2010176; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010177; classtype:web-application-attack; sid:2010177; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010178; classtype:web-application-attack; sid:2010178; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010179; classtype:web-application-attack; sid:2010179; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt"; flow:established,to_server; uricontent:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; uricontent:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010180; classtype:web-application-attack; sid:2010180; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"searchWord="; nocase; http_uri; pcre:"/searchWord\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010181; classtype:web-application-attack; sid:2010181; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"maxHits="; nocase; http_uri; pcre:"/maxHits\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010182; classtype:web-application-attack; sid:2010182; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"scopedSearch="; nocase; http_uri; pcre:"/scopedSearch\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010183; classtype:web-application-attack; sid:2010183; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt"; flow:established,to_server; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; http_uri; content:"scope="; nocase; http_uri; pcre:"/scope\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010184; classtype:web-application-attack; sid:2010184; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010185; classtype:web-application-attack; sid:2010185; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010186; classtype:web-application-attack; sid:2010186; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010187; classtype:web-application-attack; sid:2010187; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010188; classtype:web-application-attack; sid:2010188; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/qte_result.php?"; nocase; uricontent:"title="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010189; classtype:web-application-attack; sid:2010189; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal"; flow:to_server,established; content:"GET"; http_method; content:"/logging/logviewer.jsp?"; nocase; http_uri; content:"logfile="; nocase; http_uri; content:"../"; depth:200; reference:url,www.dsecrg.ru/pages/vul/show.php?id=152; reference:url,www.vupen.com/english/advisories/2009/2285; reference:url,doc.emergingthreats.net/2010194; classtype:web-application-attack; sid:2010194; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/DetailFile.php?"; nocase; http_uri; content:"nFileId="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/0908-exploits/dscms-sql.txt; reference:url,doc.emergingthreats.net/2010195; classtype:web-application-attack; sid:2010195; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/2fly_gift.php?"; nocase; http_uri; content:"gameid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/36294/; reference:url,osvdb.org/show/osvdb/57136; reference:url,doc.emergingthreats.net/2010196; classtype:web-application-attack; sid:2010196; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/include/engine/content/elements/menu.php?"; nocase; http_uri; content:"CONFIG[AdminPath]="; nocase; http_uri; pcre:"/CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/57688; reference:url,doc.emergingthreats.net/2010197; classtype:web-application-attack; sid:2010197; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/include/_bot.php?"; nocase; http_uri; content:"master[currentskin]="; nocase; http_uri; pcre:"/master\[currentskin\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36354; reference:url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt; reference:url,doc.emergingthreats.net/2010198; classtype:web-application-attack; sid:2010198; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt"; flow:established,to_server; content:"/siteminderagent/forms/smpwservices.fcc"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:cve,2007-5923; reference:url,www.securityfocus.com/bid/26375/info; reference:url,doc.emergingthreats.net/2010200; classtype:web-application-attack; sid:2010200; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silon Encrypted Data POST to C&C"; flow:established,to_server; content:".php?i="; nocase; http_uri; content:"&k="; nocase; http_uri; pcre:"/\.php\?i=\w+_[0-9A-F]{8}&k=\d+$/Ui"; reference:url,www.trusteer.com/webform/w32silon-malware-analysis; reference:url,doc.emergingthreats.net/2010201; classtype:trojan-activity; sid:2010201; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt"; flow:established,to_server; content:"/Flex/index.template.html"; nocase; http_uri; pcre:"/index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:cve,2009-1879; reference:url,securitytracker.com/alerts/2009/Aug/1022748.html; reference:url,doc.emergingthreats.net/2010214; classtype:web-application-attack; sid:2010214; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN SQL Injection Attempt (Agent uil2pn)"; flow:to_server,established; content:"User-Agent|3a| uil2pn|0d 0a|"; fast_pattern:only; http_header; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; classtype:web-application-attack; sid:2010215; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"os="; http_client_body; nocase; content:"&ver="; nocase; http_client_body; distance:0; content:"&idx="; http_client_body; nocase; distance:0; content:"&user="; http_client_body; nocase; distance:0; content:"&ioctl="; http_client_body; nocase; fast_pattern; distance:0; content:"&data="; http_client_body; distance:0; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:trojan-activity; sid:2010217; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:trojan-activity; sid:2010218; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ClickAdsByIE)"; flow:to_server,established; content:"User-Agent|3a| ClickAdsByIE"; http_header; reference:url,doc.emergingthreats.net/2010220; classtype:trojan-activity; sid:2010220; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; content:"|2F|installer|2F|Installer|2E|exe"; nocase; http_uri; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; classtype:trojan-activity; sid:2010221; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker Traffic Redirection"; flow:established,to_server; content:"/?do=rphp"; nocase; http_uri; content:"&sub="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&q="; nocase; http_uri; content:"&orig="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010224; classtype:trojan-activity; sid:2010224; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Koblu"; flow:established,to_server; content:"GET"; nocase; http_method; content:"sid="; nocase; http_uri; content:"&sa="; nocase; http_uri; content: "&p="; http_uri; content:"&q=cards&rf="; http_uri; content:"&enc="; http_uri; content:"&enk=&xsc=&xsp=&xsm="; http_uri; reference:url,doc.emergingthreats.net/2010230; classtype:trojan-activity; sid:2010230; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD"; depth:4; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010240; classtype:trojan-activity; sid:2010240; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; content:"GET"; http_method; content:"/Reports/install-report.php"; http_uri; content:"abbr="; http_uri; content:"TALWinInetHTTPClient"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010241; classtype:trojan-activity; sid:2010241; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/reports/get_product_domains.php?abbr="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010242; classtype:trojan-activity; sid:2010242; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Obitel Downloader Request"; flow: established,to_server; content:".php?id="; http_uri; content:"User-Agent|3a| ie|0d 0a|"; http_header; pcre:"/\.php\?id=[0-9a-f]{8}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T; reference:url,doc.emergingthreats.net/2010244; classtype:trojan-activity; sid:2010244; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; distance:0; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST"; http_method; content:"verint="; http_client_body; content:"&uid="; http_client_body; content:"&wv="; http_client_body; content:"&report="; http_client_body; content:"&abbr="; http_client_body; content:"&pid="; http_client_body; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eleonore Exploit Pack activity"; flow:established,to_server; content:"?spl="; http_uri; content:"&br="; http_uri; content:"&vers="; http_uri; content:"&s="; http_uri; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2010248; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/editor/edit_htmlarea.php?"; nocase; uricontent:"highlighter="; nocase; pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/57679; reference:url,doc.emergingthreats.net/2010254; classtype:web-application-attack; sid:2010254; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/debugger/debug_php.php?"; nocase; uricontent:"_GET[filename]="; nocase; content:"../"; depth:200; reference:url,osvdb.org/show/osvdb/57680; reference:url,doc.emergingthreats.net/2010255; classtype:web-application-attack; sid:2010255; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection"; flow:to_server,established; content:"GET"; http_method; content:"/boardrule.php?"; nocase; http_uri; content:"groupboardid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36282; reference:url,doc.emergingthreats.net/2010259; classtype:web-application-attack; sid:2010259; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/59056; reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; reference:url,doc.emergingthreats.net/2010260; classtype:web-application-attack; sid:2010260; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0(compatible|3b| TALWinHttpClient)|0d 0a|"; http_header; fast_pattern:21,19; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010261; classtype:trojan-activity; sid:2010261; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (M0zilla)"; flow:established,to_server; content:"User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; http_header; reference:url,doc.emergingthreats.net/2010265; classtype:trojan-activity; sid:2010265; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; reference:url,doc.emergingthreats.net/2010266; classtype:trojan-activity; sid:2010266; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/Torpig Checkin"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"MyValue="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010267; classtype:trojan-activity; sid:2010267; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.SillyFDC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php"; nocase; http_uri; content:"getowner=1&uniqueid="; http_uri; content:"User-Agent|3a| WinHttp.WinHttpRequest"; http_header; reference:url,doc.emergingthreats.net/2010268; classtype:trojan-activity; sid:2010268; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Data Post to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=|22|sid|22 0d 0a 0d 0a|"; http_client_body; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; http_client_body; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; http_client_body; nocase; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; classtype:trojan-activity; sid:2010270; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010271; classtype:web-application-attack; sid:2010271; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010272; classtype:web-application-attack; sid:2010272; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010273; classtype:web-application-attack; sid:2010273; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010274; classtype:web-application-attack; sid:2010274; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plus/feedback_js.php?"; nocase; http_uri; content:"arcurl="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010275; classtype:web-application-attack; sid:2010275; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/include/prodler.class.php?"; nocase; uricontent:"sPath="; nocase; pcre:"/sPath\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58298; reference:url,doc.emergingthreats.net/2010276; classtype:web-application-attack; sid:2010276; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"Content-Type|3a| text/html"; http_header; content:"Content-type|3a| image/gif"; http_header; reference:url,doc.emergingthreats.net/2010282; classtype:trojan-activity; sid:2010282; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding|3a|"; http_header; nocase; content:"Referer|3a| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"INSTR"; nocase; http_uri; pcre:"/SELECT.+INSTR/Ui"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; classtype:web-application-attack; sid:2010284; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"SUBSTR"; nocase; http_uri; pcre:"/SELECT.+SUBSTR/Ui"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; classtype:web-application-attack; sid:2010285; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Scar Downloader Request"; flow:established,to_server; content:"/tasksz.php?"; fast_pattern:only; http_uri; content:"User-Agent|3a| Google Bot|0d 0a|"; http_header; pcre:"/\/tasksz\.php\?(?:dc|load)/U"; reference:url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml; reference:url,doc.emergingthreats.net/2010288; classtype:trojan-activity; sid:2010288; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html; reference:url,doc.emergingthreats.net/2010333; classtype:trojan-activity; sid:2010333; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; content:"hingDeny="; nocase; http_uri; content:"&id="; http_uri; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/U"; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,doc.emergingthreats.net/2010334; classtype:trojan-activity; sid:2010334; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:19;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made by UltimateHackerzTeam)"; http_header; fast_pattern:76,20; reference:url,doc.emergingthreats.net/2010346; classtype:trojan-activity; sid:2010346; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010349; classtype:web-application-attack; sid:2010349; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010350; classtype:web-application-attack; sid:2010350; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010351; classtype:web-application-attack; sid:2010351; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010352; classtype:web-application-attack; sid:2010352; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_photoblog&"; nocase; http_uri; content:"&category="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010353; classtype:web-application-attack; sid:2010353; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/debugger.php?"; nocase; http_uri; content:"config_atkroot="; nocase; http_uri; pcre:"/config_atkroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,36822; reference:url,doc.emergingthreats.net/2010354; classtype:web-application-attack; sid:2010354; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt"; flow:to_server,established; uricontent:"/fonctions_racine.php?"; nocase; uricontent:"chemin_lib="; nocase; pcre:"/chemin_lib\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/57869; reference:url,secunia.com/advisories/36658/; reference:url,doc.emergingthreats.net/2010355; classtype:web-application-attack; sid:2010355; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/install/di.php?"; nocase; http_uri; content:"pathtoserverdata="; nocase; http_uri; pcre:"/pathtoserverdata\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/55485; reference:url,doc.emergingthreats.net/2010362; classtype:web-application-attack; sid:2010362; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; classtype:attempted-recon; sid:2010371; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; fast_pattern:only; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010372; classtype:attempted-recon; sid:2010372; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; reference:url,doc.emergingthreats.net/2010375; classtype:attempted-admin; sid:2010375; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; classtype:web-application-attack; sid:2010379; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; http_uri; content:"DeploymentScanner"; nocase; http_uri; content:"methodName=addURL"; nocase; http_uri; content:"=http"; nocase; http_uri; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; classtype:web-application-attack; sid:2010380; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?ddos=x"; http_uri; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; classtype:trojan-activity; sid:2010381; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?type="; nocase; http_uri; content:"&affid="; distance:0; nocase; http_uri; content:"&subid="; distance:0; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; reference:url,doc.emergingthreats.net/2010382; classtype:trojan-activity; sid:2010382; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:trojan-activity; sid:2010438; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"HTTP/1.0"; content:"User-Agent|3a| VBTagEdit"; http_header; nocase; reference:url,doc.emergingthreats.net/2010439; classtype:trojan-activity; sid:2010439; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010441; classtype:trojan-activity; sid:2010441; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010442; classtype:trojan-activity; sid:2010442; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; classtype:trojan-activity; sid:2010452; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; classtype:trojan-activity; sid:2010453; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; content:"|2B|CSCOE|2B 2F|files|2F|browse|2E|html"; nocase; http_raw_uri; content:"code|3D|init"; nocase; http_uri; content:"path|3D|ftp"; nocase; http_uri; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; classtype:attempted-user; sid:2010457; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper Checkin (often scripts.dlv4.com related)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Common/module.php?"; nocase; http_uri; content:"brokerid="; nocase; http_uri; content:"&product="; nocase; http_uri; content:"&customid="; nocase; http_uri; content:"&mediaid="; nocase; http_uri; content:"&no_product_name="; nocase; http_uri; content:"&extlogin="; http_uri; nocase; reference:url,doc.emergingthreats.net/2010458; classtype:trojan-activity; sid:2010458; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; classtype:attempted-user; sid:2010460; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (MSIE7 na)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| na|3b| )"; http_header; fast_pattern:37,14; reference:url,doc.emergingthreats.net/2010461; classtype:trojan-activity; sid:2010461; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; http_uri; content:"email|3D|"; nocase; http_uri; content:"hostname|3D|"; nocase; http_uri; content:"default|5F|domain|3D|"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; classtype:web-application-attack; sid:2010462; rev:3;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010463; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/includes/classes/pctemplate.php?"; nocase; uricontent:"pcConfig[smartyPath]="; nocase; pcre:"/pcConfig\[smartyPath\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt; reference:url,doc.emergingthreats.net/2010466; classtype:web-application-attack; sid:2010466; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/js/wptable-tinymce.php?"; nocase; uricontent:"ABSPATH="; nocase; pcre:"/ABSPATH\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/56763; reference:url,doc.emergingthreats.net/2010473; classtype:web-application-attack; sid:2010473; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_ezine/class/php/d4m_ajax_pagenav.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,37043; reference:url,doc.emergingthreats.net/2010474; classtype:web-application-attack; sid:2010474; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/adm/krgourl.php?"; nocase; http_uri; content:"DOCUMENT_ROOT="; nocase; http_uri; pcre:"/DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt; reference:url,doc.emergingthreats.net/2010475; classtype:web-application-attack; sid:2010475; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010476; classtype:web-application-attack; sid:2010476; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010477; classtype:web-application-attack; sid:2010477; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010478; classtype:web-application-attack; sid:2010478; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010479; classtype:web-application-attack; sid:2010479; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?option=com_jshop&"; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010480; classtype:web-application-attack; sid:2010480; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/modules/formmailer/formmailer.admin.inc.php?"; nocase; http_uri; content:"BASE_DIR[jax_formmailer]="; nocase; http_uri; pcre:"/BASE_DIR\[jax_formmailer\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/55751; reference:url,doc.emergingthreats.net/2010484; classtype:web-application-attack; sid:2010484; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/assets/plugins/mp3_id/mp3_id.php?"; nocase; uricontent:"GLOBALS[BASE]="; nocase; pcre:"/GLOBALS\[BASE\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt; reference:url,doc.emergingthreats.net/2010485; classtype:web-application-attack; sid:2010485; rev:2;) alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2;) alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo User-Agent Check-in"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0) WinNT 5.1|0d 0a|"; fast_pattern:37,21; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99; reference:url,doc.emergingthreats.net/2010490; classtype:trojan-activity; sid:2010490; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2;) alert tcp $HOME_NET 3306 -> any any (msg:"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"; flow:from_server,established; content:"|6A 04|Host|20 27|"; depth:70; content:"|27 20|is not allowed to connect to this MySQL server"; distance:0; reference:url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html; reference:url,doc.emergingthreats.net/2010493; classtype:attempted-recon; sid:2010493; rev:2;) alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/+webvpn+/index.html"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; reference:url,doc.emergingthreats.net/2010505; classtype:attempted-user; sid:2010505; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; content:"/ekgnkm/AccessCodeStart.asp"; nocase; http_uri; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010506; classtype:attempted-user; sid:2010506; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible APC Switched Rack PDU Web Administration Interface Cross Site Scripting Attempt"; flow:to_server,established; content:"/Forms/login1?login_username="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023331.html; reference:url,doc.emergingthreats.net/2010507; classtype:web-application-attack; sid:2010507; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Springenwerk XSS Scanner User-Agent Detected"; flow:to_server,established; content:"User-Agent|3a| Springenwerk"; http_header; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,springenwerk.org/; reference:url,doc.emergingthreats.net/2010508; classtype:attempted-recon; sid:2010508; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sonicwall NSA E7500 XSS attempt (fwReg parameter)"; flow:established,to_server; uricontent:"/servlet/dea/register?"; nocase; uricontent:"pwd="; nocase; uricontent:"fwReg="; nocase; uricontent:"sn="; nocase; pcre:"/\/servlet\/dea\/register\?fwReg=[>\"]/iU"; reference:url,securiteam.com/exploits/6O00C1FQAS.html; reference:url,doc.emergingthreats.net/2010509; classtype:web-application-attack; sid:2010509; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/sem/"; nocase; uricontent:".php"; nocase; uricontent:"uniqueid="; nocase; uricontent:"|3B|"; pcre:"/\/sem\/\w+\.php.*(\?|&)uniqueid=\d*\;/Ui"; reference:url, www.securityfocus.com/bid/37375/info; reference:url,doc.emergingthreats.net/2010510; classtype:web-application-attack; sid:2010510; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sonicwall Global Management System XSS attempt (scrn_name parameter)"; flow:established,to_server; uricontent:"/sgms/caption.jsp?"; nocase; uricontent:"scrn_name="; nocase; pcre:"/\/sgms\/caption\.jsp\?.*scrn_name=.*[>\"]/iU"; reference:url,securiteam.com/exploits/6P00D1FQAG.html; reference:url,doc.emergingthreats.net/2010511; classtype:web-application-attack; sid:2010511; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; nocase; content:!"Referer|3a| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196}/Pi"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:8;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; content:"401"; http_stat_code; content:"Unauthorized"; nocase; file_data; content:" $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source)"; flow:from_server,established; content:"401"; http_stat_code; content:"Unauthorized"; nocase; file_data; content:" $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; content:"403"; http_stat_code; content:"Forbidden"; nocase; file_data; content:" $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"404"; http_stat_code; content:"Not Found"; nocase; file_data; content:" $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"405"; http_stat_code; content:"Method Not Allowed"; nocase; file_data; content:" $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:from_server,established; content:"405"; http_stat_code; content:"Method Not Allowed"; nocase; file_data; content:" $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"406"; http_stat_code; content:"Not Acceptable"; nocase; file_data; content:" $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"406"; http_stat_code; content:"Not Acceptable"; nocase; file_data; content:" $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"500"; http_stat_code; content:"Internal Server Error"; nocase; file_data; content:" $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"500"; http_stat_code; content:"Internal Server Error"; nocase; file_data; content:" $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"503"; http_stat_code; content:"Service Unavailable"; nocase; file_data; content:" $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"503"; http_stat_code; content:"Service Unavailable"; nocase; file_data; content:" $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla MyRemote Video Gallery (user_id) Blind SQL Injection Attempt"; flow:established,to_server; content:"user_id="; http_uri; content:"option=com_mytube"; nocase; http_uri; content:"index.php?"; nocase; http_uri; pcre:"/user_id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,milw0rm.org/exploits/9733; reference:url,doc.emergingthreats.net/2010528; classtype:web-application-attack; sid:2010528; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component com_jinc (newsid) Blind SQL Injection Attempt"; flow:established,to_server; content:"option=com_jinc"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"index.php?"; nocase; http_uri; pcre:"/newsid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,milw0rm.org/exploits/9732; reference:url,doc.emergingthreats.net/2010529; classtype:web-application-attack; sid:2010529; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt"; flow:established,to_server; content:"pathToIndex="; nocase; http_uri; content:".php?"; nocase; http_uri; pcre:"/\.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\?/iU"; reference:url,www.exploit-db.com/exploits/9729/; reference:url,doc.emergingthreats.net/2010530; classtype:web-application-attack; sid:2010530; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component City Portal (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; content:"/city_portal/index.php?"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010535; classtype:web-application-attack; sid:2010535; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Event Manager 1.5 (id) Blind SQL Injection Attempt"; flow:established,to_server; content:"/eventmanager/index.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010536; classtype:web-application-attack; sid:2010536; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_zcalendar (eid) Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_zcalendar"; nocase; http_uri; content:"eid="; nocase; http_uri; pcre:"/(\?|&)eid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010537; classtype:web-application-attack; sid:2010537; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_acmis (Itemid) SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_acmisc"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010538; classtype:web-application-attack; sid:2010538; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_digistore (pid) Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"option=com_digistore"; nocase; uricontent:"pid="; nocase; pcre:"/(\?|&)pid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0903-exploits/joomladigistore-sql.txt; reference:url,doc.emergingthreats.net/2010539; classtype:web-application-attack; sid:2010539; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jbook (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"option=com_jbook"; nocase; uricontent:"Itemid="; nocase; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/filedesc/joomlajbook-sql.txt.html; reference:url,doc.emergingthreats.net/2010540; classtype:web-application-attack; sid:2010540; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_personel (id) Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_personel"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlapersonel-sql.txt; reference:url,doc.emergingthreats.net/2010541; classtype:web-application-attack; sid:2010541; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_joomportfolio"; nocase; http_uri; content:"secid="; nocase; http_uri; pcre:"/(\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt; reference:url,doc.emergingthreats.net/2010542; classtype:web-application-attack; sid:2010542; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (poll.php)"; flow:established,to_server; content:"/mod/poll.php?"; nocase; http_uri; content:"GLOBALS[nlang]="; nocase; http_uri; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/iU"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010543; classtype:web-application-attack; sid:2010543; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (new.php)"; flow:established,to_server; content:"/mod/new.php?"; nocase; http_uri; content:"GLOBALS[nlang]="; nocase; http_uri; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/iU"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010544; classtype:web-application-attack; sid:2010544; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_username)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_username="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_username=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010547; classtype:web-application-attack; sid:2010547; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_server)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_server="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_server=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010548; classtype:web-application-attack; sid:2010548; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_path)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_path="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_path=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010549; classtype:web-application-attack; sid:2010549; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_password)"; flow:established,to_server; content:"/cgi-mod/index.cgi?"; nocase; http_uri; content:"backup_password="; nocase; http_uri; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_password=[^&\;]*[>\"]/iU"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010550; classtype:web-application-attack; sid:2010550; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Module Emporium SQL Injection Attempt"; flow:established,to_server; uricontent:"/modules.php?"; nocase; uricontent:"name=Shopping_Cart"; nocase; uricontent:"category_id="; nocase; pcre:"/(\?|&)category_id=[^\s\x26\x3B\x2f]*[\s\x2f]/iU"; reference:url,milw0rm.com/exploits/3334; reference:url,packetstormsecurity.org/0912-exploits/phpnukeemporium-sql.txt; reference:url,doc.emergingthreats.net/2010553; classtype:web-application-attack; sid:2010553; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010555; classtype:web-application-attack; sid:2010555; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010556; classtype:web-application-attack; sid:2010556; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010557; classtype:web-application-attack; sid:2010557; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010558; classtype:web-application-attack; sid:2010558; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_joaktree&"; nocase; http_uri; content:"&view=joaktree"; nocase; http_uri; content:"treeId="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010559; classtype:web-application-attack; sid:2010559; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/main/forum/komentar.php?"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,23334; reference:url,doc.emergingthreats.net/2010564; classtype:web-application-attack; sid:2010564; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; fast_pattern:only; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:11;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; content:".asp|3B 2E|"; fast_pattern:only; nocase; http_uri; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010592; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; content:".aspx|3B 2E|"; fast_pattern:only; nocase; http_uri; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (???)"; flow:established,to_server; content:"User-Agent|3a| ???"; http_header; content:!"|20|Sparkle|2f|"; http_header; reference:url,doc.emergingthreats.net/2010595; classtype:trojan-activity; sid:2010595; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; urilen:6; content:"GET"; http_method; content:"/check"; nocase; http_uri; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|Host|3a| "; depth:47; fast_pattern:12,34; http_header; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue%3AWin32/FakeSpypro; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010597; classtype:trojan-activity; sid:2010597; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent Mozilla/3.0"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Internet Explorer)"; http_header; fast_pattern:12,20; reference:url,doc.emergingthreats.net/2010599; classtype:trojan-activity; sid:2010599; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 82 (msg:"ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt"; flow:established,to_server; content:"GET"; content:"script"; nocase; content:"/proxy.php?"; nocase; content:"url="; nocase; pcre:"/\/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\']/i"; reference:url,www.securityfocus.com/bid/37446/info; reference:url,doc.emergingthreats.net/2010602; classtype:web-application-attack; sid:2010602; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt"; flow:established,to_server; uricontent:"/Script/store_info.php?"; nocase; uricontent:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.securityfocus.com/bid/37541/info; reference:url,doc.emergingthreats.net/2010604; classtype:web-application-attack; sid:2010604; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_viewfulllisting"; nocase; http_uri; content:"listing_id="; nocase; http_uri; pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt; reference:url,doc.emergingthreats.net/2010605; classtype:web-application-attack; sid:2010605; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_kkcontent"; nocase; http_uri; content:"catID="; nocase; http_uri; pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt; reference:url,doc.emergingthreats.net/2010606; classtype:web-application-attack; sid:2010606; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt"; flow:established,to_server; uricontent:"/dictionary/detail.php?"; nocase; uricontent:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt; reference:url,doc.emergingthreats.net/2010607; classtype:web-application-attack; sid:2010607; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt"; flow:established,to_server; uricontent:"/gallery_show.asp?"; nocase; uricontent:"GID="; nocase; pcre:"/(\?|&)GID=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt; reference:url,doc.emergingthreats.net/2010608; classtype:web-application-attack; sid:2010608; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt"; flow:established,to_server; content:"/knowledgebase.php?"; nocase; http_uri; content:"act=art"; nocase; http_uri; content:"article_id="; nocase; http_uri; pcre:"/(\?|&)article_id=[^\x26\x3B]*[^\d\x2D]/iU"; reference:url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt; reference:url,doc.emergingthreats.net/2010609; classtype:web-application-attack; sid:2010609; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt"; flow:established,to_server; uricontent:"/modules/admincp.php?"; nocase; uricontent:"admin="; nocase; pcre:"/(\?|&)admin=[^\x26\x3B]*([\x2F\x5C\x00]|\x2E\x2E)/iU"; reference:url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt; reference:url,doc.emergingthreats.net/2010610; classtype:web-application-attack; sid:2010610; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010615; classtype:web-application-attack; sid:2010615; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010616; classtype:web-application-attack; sid:2010616; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010617; classtype:web-application-attack; sid:2010617; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010618; classtype:web-application-attack; sid:2010618; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/bms/invoices_discount_ajax.php?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010619; classtype:web-application-attack; sid:2010619; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/54662; reference:url,www.exploit-db.com/exploits/10369; reference:url,doc.emergingthreats.net/2010620; classtype:web-application-attack; sid:2010620; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"User-Agent|3a| CZ32ts|0d 0a|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2009029; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2010621; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; content:"/servlet/JavascriptProbe"; nocase; http_uri; content:"documentElement=true"; nocase; http_uri; content:"regexp=true"; nocase; http_uri; content:"frames=true"; http_uri; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; classtype:web-application-attack; sid:2010622; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; content:"/level/15/exec/-/"; fast_pattern:only; nocase; http_uri; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/Ui"; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Landing Page (aid sid)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:".php?aid="; nocase; http_uri; fast_pattern; content:"&sid="; nocase; http_uri; pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; reference:url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; reference:url,doc.emergingthreats.net/2010625; classtype:trojan-activity; sid:2010625; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"loads.php?code="; nocase; http_uri; pcre:"/loads\.php\?code=\d+$/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010626; classtype:trojan-activity; sid:2010626; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"cgi-bin/download.pl?code="; nocase; http_uri; pcre:"/download\.pl\?code=\d+$/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010627; classtype:trojan-activity; sid:2010627; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"cgi-bin/get.pl?l="; nocase; http_uri; pcre:"/get\.pl\?l=\d+$/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010628; classtype:trojan-activity; sid:2010628; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Adware Install Report"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/nsi_install.php?inst_result=success&aff_id="; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2010630; classtype:trojan-activity; sid:2010630; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; http_uri; content:"settings[locale]="; nocase; http_uri; content:"../"; depth:200; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.exploit-db.com/exploits/9018/; reference:url,doc.emergingthreats.net/2010631; classtype:web-application-attack; sid:2010631; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010636; classtype:web-application-attack; sid:2010636; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010637; classtype:web-application-attack; sid:2010637; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010638; classtype:web-application-attack; sid:2010638; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010639; classtype:web-application-attack; sid:2010639; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_jphoto&"; nocase; http_uri; content:"view=category&"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010640; classtype:web-application-attack; sid:2010640; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:2010642; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:2010643; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; content:"Launcher"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Launcher/iH"; reference:url,doc.emergingthreats.net/2010645; classtype:trojan-activity; sid:2010645; rev:9;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Lethic Spambot CnC Initial Connect"; flow:established,from_server; flowbits:isnotset,ET.lethic.init; flowbits:set,ET.lethic.init; flowbits:noalert; dsize:5; content:"|00 00 00 00 06|"; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010646; classtype:trojan-activity; sid:2010646; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Lethic Spambot CnC Initial Connect Bot Response"; flow:established,to_server; flowbits:isset,ET.lethic.init; dsize:5; content:"|00 00 00 00 06|"; flowbits:set,ET.lethic.established; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010647; classtype:trojan-activity; sid:2010647; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010652; classtype:web-application-attack; sid:2010652; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010653; classtype:web-application-attack; sid:2010653; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010654; classtype:web-application-attack; sid:2010654; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010655; classtype:web-application-attack; sid:2010655; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ossim/repository/repository_attachment.php?"; nocase; uricontent:"id_document="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010656; classtype:web-application-attack; sid:2010656; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"EasyMail.IMAP4.6"; distance:0; nocase; content:"LicenseKey"; nocase; reference:url,secunia.com/advisories/24199/; reference:url,doc.emergingthreats.net/2010658; classtype:web-application-attack; sid:2010658; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_mojo/wp-comments-post.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010659; classtype:web-application-attack; sid:2010659; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_mojo/wp-trackback.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010660; classtype:web-application-attack; sid:2010660; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/e-pay/src/a_affil.php?"; nocase; uricontent:"_REQUEST[read]="; nocase; pcre:"/_REQUEST\[read\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10697; reference:url,doc.emergingthreats.net/2010661; classtype:web-application-attack; sid:2010661; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:"offer-"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; classtype:attempted-user; sid:2010665; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit"; flow:established,to_server; content:"/bin/bash"; http_uri; reference:url,doc.emergingthreats.net/2010667; classtype:web-application-attack; sid:2010667; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"INTO"; nocase; content:"OUTFILE"; nocase; pcre:"/INTO.+OUTFILE/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010669; classtype:web-application-attack; sid:2010669; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010670; classtype:web-application-attack; sid:2010670; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010672; classtype:web-application-attack; sid:2010672; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Events/getJSONEventsInfo"; nocase; uricontent:"severity="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010673; classtype:web-application-attack; sid:2010673; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; content:"User-Agent|3a| SogouExplorerMiniSetup"; nocase; http_header; reference:url,doc.emergingthreats.net/2010675; classtype:trojan-activity; sid:2010675; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Fast Browser Search)"; flow:to_server,established; content:"User-Agent|3a| Fast Browser Search"; nocase; http_header; reference:url,doc.emergingthreats.net/2010676; classtype:trojan-activity; sid:2010676; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"User-Agent|3a| My Session"; nocase; http_header; content:!".windows.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.OnLineGames User-Agent (BigFoot)"; flow:to_server,established; content:"User-Agent|3a| BigFoot"; nocase; http_header; reference:url,doc.emergingthreats.net/2010678; classtype:trojan-activity; sid:2010678; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; content:"User-Agent|3a| General Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010679; classtype:trojan-activity; sid:2010679; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; content:"User-Agent|3a| Update1.0"; http_header; reference:url,doc.emergingthreats.net/2010680; classtype:trojan-activity; sid:2010680; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; fast_pattern:only; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Fake Antivirus Download Setup_2012.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/Setup_20\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/xxxxxxx; classtype:trojan-activity; sid:2010684; rev:7;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; fast_pattern:only; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/OvCgi/Main/Snmp.exe"; nocase; http_uri; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Aurora Backdoor (C&C) client connection to CnC"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; flowbits:set,ET.aurora.init; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010695; classtype:trojan-activity; sid:2010695; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Aurora Backdoor (C&C) connection CnC response"; flowbits:isset,ET.aurora.init; flow:established,from_server; content:"|cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc|"; depth:16; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010696; classtype:trojan-activity; sid:2010696; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/HNAP1/"; nocase; http_uri; content:"SOAPAction|3A|"; nocase; http_header; content:"DeviceSettings"; http_header; nocase; pcre:"/SoapAction\x3A.+\x2FHNAP1\x2F(set|get)DeviceSettings/si"; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/goform/formLogin"; nocase; http_uri; content:"Login="; nocase; http_client_body; content:!"|0A|"; http_client_body; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/Pi"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; reference:url,doc.emergingthreats.net/2010699; classtype:web-application-attack; sid:2010699; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Koobface Beaconing (getexe)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?getexe="; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010700; classtype:trojan-activity; sid:2010700; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VBulletin 4.0.1 SQL Injection Attempt"; flow:established,to_server; uricontent:"/misc.php?"; uricontent:"sub=profilename"; uricontent:"name="; nocase; uricontent:"|27|"; pcre:"/[\?&]name=[^&\;\?]+\x27/Ui"; reference:url,www.packetstormsecurity.org/1001-exploits/vbulletin401-sql.txt; reference:url,doc.emergingthreats.net/2010701; classtype:web-application-attack; sid:2010701; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/OvCgi/ovalarm.exe"; nocase; http_uri; content:"OVABverbose="; nocase; http_uri; content:"Accept-Language|3A 20|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; distance:0; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/include/libs/internals/core.write_compiled_include.php?"; nocase; http_uri; content:"smarty="; nocase; http_uri; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010707; classtype:web-application-attack; sid:2010707; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/include/libs/internals/core.process_compiled_include.php?"; nocase; http_uri; content:"smarty="; nocase; http_uri; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010708; classtype:web-application-attack; sid:2010708; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/include/libs/plugins/function.config_load.php?"; nocase; http_uri; content:"_compile_file="; nocase; http_uri; pcre:"/_compile_file\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010709; classtype:web-application-attack; sid:2010709; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010710; classtype:web-application-attack; sid:2010710; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010711; classtype:web-application-attack; sid:2010711; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010712; classtype:web-application-attack; sid:2010712; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010713; classtype:web-application-attack; sid:2010713; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_foobla_suggestions&"; nocase; http_uri; content:"idea_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010714; classtype:web-application-attack; sid:2010714; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu exploit scanner"; flow:established,to_server; content:"User-Agent|3a| Made by ZmEu"; http_header; threshold: type limit, track by_src, seconds 180, count 1; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (FaceCooker)"; flow:to_server,established; content:"User-Agent|3a| FaceCooker"; nocase; http_header; reference:url,doc.emergingthreats.net/2010717; classtype:trojan-activity; sid:2010717; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Checkin User-Agent (Gootkit HTTP Client)"; flow:to_server,established; content:"Gootkit HTTP Client"; http_header; nocase; reference:url,doc.emergingthreats.net/2010718; classtype:trojan-activity; sid:2010718; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; content:"/thisdoesnotexistahaha.php"; http_uri; reference:url,doc.emergingthreats.net/2010720; classtype:web-application-attack; sid:2010720; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Oficla Russian Malware Bundle C&C instruction response with runurl"; flow:established,to_client; file_data; content:"[info]runurl|3a|"; content:"|7c|taskid|3a|"; within:100; content:"|7c|delay|3a|"; within:30; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010723; classtype:trojan-activity; sid:2010723; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Oficla Russian Malware Bundle C&C instruction response"; flow:established,to_client; file_data; content:"[info]kill|3a|"; content:"|7c|delay|3a|"; within:50; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010724; classtype:trojan-activity; sid:2010724; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY ApacheBenchmark Tool User-Agent Detected"; flow:to_server,established; content:"User-Agent|3a| ApacheBench"; http_header; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,httpd.apache.org/docs/2.0/programs/ab.html/; reference:url,doc.emergingthreats.net/2010725; classtype:attempted-recon; sid:2010725; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Live Enterprise Suite)"; flow:to_server,established; content:"User-Agent|3a| Live Enterprise Suite"; http_header; nocase; reference:url,doc.emergingthreats.net/2010727; classtype:trojan-activity; sid:2010727; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; uricontent:"/wp-admin/admin.php"; nocase; content:"page="; nocase; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/Ui"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; file_data; content:"CSCO_WebVPN"; nocase; distance:0; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious exe.exe request - possible downloader/Oficla"; flow:to_server,established; content:"/exe.exe"; nocase; http_uri; pcre:"/\/exe\.exe$/Ui"; reference:url,anubis.iseclab.org/?action=result&task_id=11873c8979f34c8d4fd0da512df635cac&format=txt; reference:url,doc.emergingthreats.net/2010741; classtype:trojan-activity; sid:2010741; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Encoding|3a| "; nocase; http_header; content:".php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:trojan-activity; sid:2010743; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Oficla Russian Malware Bundle C&C instruction response (2)"; flow:established,to_client; file_data; content:"[info]delay|3a|"; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010744; classtype:trojan-activity; sid:2010744; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010750; classtype:web-application-attack; sid:2010750; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010751; classtype:web-application-attack; sid:2010751; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010752; classtype:web-application-attack; sid:2010752; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010753; classtype:web-application-attack; sid:2010753; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_musicgallery&"; nocase; http_uri; content:"&task=itempage"; nocase; http_uri; content:"Id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010754; classtype:web-application-attack; sid:2010754; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; fast_pattern:only; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; content:"/bb.php"; nocase; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; content:"v="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"b="; nocase; http_uri; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; reference:url,doc.emergingthreats.net/2010756; classtype:trojan-activity; sid:2010756; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; content:".ass"; nocase; http_uri; flowbits:set,ET.ass.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010757; classtype:not-suspicious; sid:2010757; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; uricontent:"defaultAdminLevel"; nocase; uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; nocase; uricontent:"password="; nocase; uricontent:"zenScreenName=editUserSettings"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010761; classtype:web-application-attack; sid:2010761; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/userCommands/ping"; nocase; uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; nocase; uricontent:"ScreenName=userCommandDetail"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010763; classtype:web-application-attack; sid:2010763; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; content:"/manda.php?"; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\/manda\.php\?id=(-)?\d{9,10}&v=\w/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:trojan-activity; sid:2010765; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; reference:url,doc.emergingthreats.net/2010766; classtype:bad-unknown; sid:2010766; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA) "; flow:established,to_server; content:"User-Agent|3a| webcollage/1.135a"; fast_pattern:only; http_header; nocase; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt"; flow:established,to_server; content:"/smhui/getuiinfo"; nocase; http_uri; content:"JS"; nocase; http_uri; content:"servercert="; nocase; http_uri; pcre:"/servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727; reference:cve,2009-4185; reference:url,doc.emergingthreats.net/2010770; classtype:web-application-attack; sid:2010770; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_messages.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010771; classtype:web-application-attack; sid:2010771; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_blog_comments.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010772; classtype:web-application-attack; sid:2010772; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/view_blog_archives.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010773; classtype:web-application-attack; sid:2010773; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/add_comments.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010774; classtype:web-application-attack; sid:2010774; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/downloads.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010775; classtype:web-application-attack; sid:2010775; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/emailsender.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010776; classtype:web-application-attack; sid:2010776; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/left_menu.php?"; nocase; uricontent:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010777; classtype:web-application-attack; sid:2010777; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_mediaslide/viewer.php?"; nocase; http_uri; content:"path="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,37440; reference:url,doc.emergingthreats.net/2010780; classtype:web-application-attack; sid:2010780; rev:3;) alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"|5c 00 50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:2;) alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY RemoteControlX rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html; reference:url,doc.emergingthreats.net/2010782; classtype:suspicious-filename-detect; sid:2010782; rev:2;) alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; classtype:suspicious-filename-detect; sid:2010783; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (buddy list)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/buddy_list.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010785; classtype:policy-violation; sid:2010785; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/settings.php"; http_uri; content:"facebook.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; classtype:trojan-activity; sid:2010787; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; depth:250; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/w00tw00t."; nocase; http_uri; depth:10; reference:url,doc.emergingthreats.net/2010794; classtype:attempted-recon; sid:2010794; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; content:"Accept-Encoding|3a| identity"; http_header; content:"Next|2d|Polling"; http_header; fast_pattern:only; content:"Content|2d|Salt|3a| "; http_header; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/Hi"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; file_data; content:"document.createEventObject"; distance:0; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/manager/DiagLogListActionBody.do?"; nocase; http_uri; content:"logFile="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010800; classtype:web-application-attack; sid:2010800; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; http_uri; content:"captureFile="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010801; classtype:web-application-attack; sid:2010801; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/sat/ViewSatReport.do?"; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010802; classtype:web-application-attack; sid:2010802; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; http_uri; content:"capture="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010803; classtype:web-application-attack; sid:2010803; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/acopia/sat/ViewInventoryErrorReport.do?"; nocase; http_uri; content:"fileName="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010804; classtype:web-application-attack; sid:2010804; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010805; classtype:web-application-attack; sid:2010805; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010806; classtype:web-application-attack; sid:2010806; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010807; classtype:web-application-attack; sid:2010807; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010808; classtype:web-application-attack; sid:2010808; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yelp&"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010809; classtype:web-application-attack; sid:2010809; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:""; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt"; flow:established,to_client; file_data; content:"BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; nocase; distance:0; content:"BindToFile"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F/si"; reference:url,tcc.hellcode.net/advisories/hellcode-adv008.txt; reference:url,doc.emergingthreats.net/2010814; classtype:attempted-user; sid:2010814; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; classtype:policy-violation; sid:2010819; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:".cgi~"; nocase; http_uri; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; classtype:web-application-attack; sid:2010820; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN smain?scout=acxc Generic Download landing"; flow:established,to_server; content:"GET"; depth:3; http_method; nocase; content:"/smain?scout=acxc"; nocase; http_uri; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010822; classtype:trojan-activity; sid:2010822; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Related Fake User-Agent (Apache (compatible...))"; flow:established,to_server; content:"User-Agent|3a| Apache (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; reference:url,doc.emergingthreats.net/2010823; classtype:trojan-activity; sid:2010823; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_intuit/models/intuit.php?"; nocase; http_uri; content:"approval="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/10730; reference:url,doc.emergingthreats.net/2010833; classtype:web-application-attack; sid:2010833; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest"; nocase; http_header; content:"/get?src="; nocase; http_uri; fast_pattern; content:"|0d 0a|Request|3a| "; nocase; content:"run|0d 0a|"; within:5; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010842; classtype:web-application-attack; sid:2010842; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010843; classtype:web-application-attack; sid:2010843; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010844; classtype:web-application-attack; sid:2010844; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010845; classtype:web-application-attack; sid:2010845; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_avosbillets&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010846; classtype:web-application-attack; sid:2010846; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_if_nexus&"; nocase; uricontent:"controller="; nocase; pcre:"/controller\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10754; reference:url,doc.emergingthreats.net/2010847; classtype:web-application-attack; sid:2010847; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_morfeoshow/morfeoshow.html.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; pcre:"/user_id\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secdb.4sec.org/?s1=exp&sid=18773; reference:url,doc.emergingthreats.net/2010848; classtype:web-application-attack; sid:2010848; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010853; classtype:web-application-attack; sid:2010853; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010854; classtype:web-application-attack; sid:2010854; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010855; classtype:web-application-attack; sid:2010855; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010856; classtype:web-application-attack; sid:2010856; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_job&"; nocase; http_uri; content:"id_job="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010857; classtype:web-application-attack; sid:2010857; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt"; flow:established,to_server; content:"/Forms/login"; nocase; http_uri; content:"login_username="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:cve,2009-1798; reference:url,doc.emergingthreats.net/2010862; classtype:web-application-attack; sid:2010862; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gsb/datetime.php"; nocase; http_uri; content:"delBackupName"; nocase; http_client_body; content:"backupRestoreFormSubmitted"; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/OvCgi/Toolbar.exe"; nocase; http_uri; content:"Accept-Language|3A|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/readme.nsf/Header"; nocase; http_uri; content:"OpenPage="; nocase; http_uri; content:"BaseTarget="; nocase; http_uri; pcre:"/BaseTarget\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.securityfocus.com/bid/38481; reference:url,doc.emergingthreats.net/2010865; classtype:web-application-attack; sid:2010865; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1- "; fast_pattern:35,20; http_header; reference:url,doc.emergingthreats.net/2010868; classtype:bad-unknown; sid:2010868; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pragma hack Detected Outbound - Likely Infected Source"; flow:established,to_client; content:"Pragma|3a| hack/"; nocase; http_header; classtype:trojan-activity; sid:2010872; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&bid="; http_client_body; nocase; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!".bitdefender.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010875; classtype:trojan-activity; sid:2010875; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile"; flow:established,to_client; file_data; content:"PDF-"; within:300; content:"arguments.callee"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=1519; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010883; classtype:misc-activity; sid:2010883; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variables"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; pcre:"/^[a-z]{3,6}\x3d[A-F0-9]{50}/Pi"; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010885; classtype:trojan-activity; sid:2010885; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; nocase; content:"getp="; http_client_body; content:"id="; http_client_body; content:"ln="; http_client_body; content:"bid="; http_client_body; content:"nt="; http_client_body; content:"cn="; http_client_body; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; classtype:trojan-activity; sid:2010886; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; content:".php?"; http_uri; content:"c_pcode="; http_uri; content:"c_pid="; http_uri; content:"c_kind="; http_uri; content:"c_mac="; http_uri; reference:url,doc.emergingthreats.net/2010888; classtype:trojan-activity; sid:2010888; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32.Tdss User Agent Detected (Mozzila)"; flow:established,to_server; content:"User-Agent|3a| Mozzila"; http_header; reference:url,doc.emergingthreats.net/2010889; classtype:trojan-activity; sid:2010889; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)"; flow:established,to_server; uricontent:"/config/config.inc.php"; uricontent:"p=phpinfo()"; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010902; classtype:web-application-attack; sid:2010902; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)"; flow:established,to_server; uricontent:"/config/config.inc.php"; uricontent:"c="; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010903; classtype:web-application-attack; sid:2010903; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; http_header; fast_pattern:11,11; reference:url,doc.emergingthreats.net/2010904; classtype:bad-unknown; sid:2010904; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern:11,11; http_header; reference:url,doc.emergingthreats.net/2010905; classtype:bad-unknown; sid:2010905; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; fast_pattern:5,20; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; reference:url,doc.emergingthreats.net/2010909; classtype:trojan-activity; sid:2010909; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; reference:url,doc.emergingthreats.net/2010910; classtype:trojan-activity; sid:2010910; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010911; classtype:trojan-activity; sid:2010911; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; reference:url,doc.emergingthreats.net/2010912; classtype:trojan-activity; sid:2010912; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010914; classtype:trojan-activity; sid:2010914; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010915; classtype:trojan-activity; sid:2010915; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010916; classtype:trojan-activity; sid:2010916; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; reference:url,doc.emergingthreats.net/2010917; classtype:trojan-activity; sid:2010917; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; content:"/support_param.html/config"; nocase; http_uri; content:"Admin_Name=&Admin_Phone="; nocase; http_uri; content:"Product_URL="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; classtype:web-application-attack; sid:2010919; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"cmd="; http_uri; fast_pattern; nocase; pcre:"/[&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/classes/excel/class.writeexcel_workbook.inc.php?"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010922; classtype:web-application-attack; sid:2010922; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/classes/excel/class.writeexcel_worksheet.inc.php?"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010923; classtype:web-application-attack; sid:2010923; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010924; classtype:web-application-attack; sid:2010924; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010925; classtype:web-application-attack; sid:2010925; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010926; classtype:web-application-attack; sid:2010926; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010927; classtype:web-application-attack; sid:2010927; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?option=com_perchagallery&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010928; classtype:web-application-attack; sid:2010928; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper Checkin 2 (often scripts.dlv4.com related)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Common/module.php?"; nocase; http_uri; content:"&isautogeneratedpage="; nocase; http_uri; content:"&dialer="; nocase; http_uri; content:"&p2e="; nocase; http_uri; content:"&nohit="; nocase; http_uri; reference:url,doc.emergingthreats.net/2010932; classtype:trojan-activity; sid:2010932; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; content:"User-Agent|3a| InfoBox"; http_header; reference:url,doc.emergingthreats.net/2010934; classtype:trojan-activity; sid:2010934; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET POLICY Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET POLICY Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET POLICY Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET POLICY Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010941; classtype:attempted-user; sid:2010941; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jcollection&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/11088; reference:url,doc.emergingthreats.net/2010942; classtype:web-application-attack; sid:2010942; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt"; flow:established,to_client; file_data; content:"66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; nocase; distance:0; content:"SaveFormat"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5/si"; reference:url,secunia.com/advisories/37967/; reference:url,doc.emergingthreats.net/2010943; classtype:web-application-attack; sid:2010943; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; distance:0; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; nocase; distance:0; content:"Open"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B/si"; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010945; classtype:attempted-user; sid:2010945; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010947; classtype:web-application-attack; sid:2010947; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010948; classtype:web-application-attack; sid:2010948; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010949; classtype:web-application-attack; sid:2010949; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010950; classtype:web-application-attack; sid:2010950; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hdflvplayer&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010951; classtype:web-application-attack; sid:2010951; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; content:"User-Agent|3A| Mozilla/5.0 SF"; http_header; fast_pattern:6,20; threshold:type limit, count 10, seconds 60, track by_src; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN crimscanner User-Agent detected"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| crimscanner/"; http_header; nocase; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:2010954; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; content:"GET"; http_method; content:".old"; http_uri; content:"User-Agent|3A| Mozilla/5.0 SF/"; http_header; fast_pattern:only; content:"Range|3A| bytes=0-199999"; http_header; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| WhatWeb/"; fast_pattern:only; http_header; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"USER"; nocase; http_uri; pcre:"/SELECT[^a-z].+USER/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2010963; classtype:web-application-attack; sid:2010963; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"CHARACTER"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/SHOW.+CHARACTER.+SET/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; classtype:web-application-attack; sid:2010964; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"VARIABLES"; nocase; http_uri; pcre:"/SHOW.+VARIABLES/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"CUR"; nocase; http_uri; pcre:"/SHOW.+CUR(DATE|TIME)/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; classtype:web-application-attack; sid:2010966; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; content:"SHOW"; nocase; http_uri; content:"TABLES"; nocase; http_uri; pcre:"/SHOW.+TABLES/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; classtype:web-application-attack; sid:2010967; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt"; flow:to_client,established; file_data; content:"PDF-"; depth:300; content:"Launch"; distance:0; content:"Win"; distance:0; content:".exe"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,doc.emergingthreats.net/2010968; classtype:attempted-user; sid:2010968; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible ProxyShell Anonymous Access Connection"; flow:established,to_server; content:"/services/get_proxies/"; http_uri; reference:url,doc.emergingthreats.net/2010969; classtype:policy-violation; sid:2010969; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/OvCgi/OvWebHelp.exe"; nocase; http_uri; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible ProxyShell Hide IP Installation file download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/proxyshell_hide_ip_setup.exe"; http_uri; nocase; reference:url,www.browserdefender.com/file/484661/site/putas18.info/; reference:url,doc.emergingthreats.net/2010792; classtype:policy-violation; sid:2010972; rev:3;) alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET TROJAN Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,www.threatexpert.com/report.aspx?md5=f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unruy Downloader Checkin"; flow:established,to_server; content:".php?U="; http_uri; content:"@"; http_uri; pcre:"/\.php\?U=\d+@\d+@\d+@\d+@\d+@[a-f0-9]+$/U"; reference:url,ddanchev.blogspot.com/2010/03/copyright-lawsuit-filed-against-you.html; reference:url,isc.sans.org/diary.html?storyid=8497; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.STM&VSect=T; reference:url,doc.emergingthreats.net/2010975; classtype:trojan-activity; sid:2010975; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/tools/filemanager/skins/mobile/admin1.template.php?"; nocase; uricontent:"net2ftp_globals[application_skinsdir]="; nocase; pcre:"/net2ftp_globals\[application_skinsdir\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,packetstorm.foofus.com/1003-exploits/ispcp-rfi.txt; reference:bugtraq,38644; reference:url,doc.emergingthreats.net/2010979; classtype:web-application-attack; sid:2010979; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/WebEditor/Authentication/LoginPage.aspx?"; nocase; http_uri; content:"ReturnUrl="; nocase; http_uri; content:"errMsg="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstorm.foofus.com/1003-exploits/ibmenovia-xss.txt; reference:url,doc.emergingthreats.net/2010980; classtype:web-application-attack; sid:2010980; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010981; classtype:web-application-attack; sid:2010981; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010982; classtype:web-application-attack; sid:2010982; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010983; classtype:web-application-attack; sid:2010983; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010984; classtype:web-application-attack; sid:2010984; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_quicknews&"; nocase; http_uri; content:"&task=view_item"; nocase; http_uri; content:"newsid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010985; classtype:web-application-attack; sid:2010985; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CommonSpot Server longproc.cfm Cross Site Scripting Attempt"; flow:to_server,established; content:"/commonspot/utilities/longproc.cfm?"; nocase; http_uri; content:"onlyurlvars="; nocase; http_uri; content:"url="; nocase; http_uri; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert| $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?option=com_ccnewsletter&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,37987; reference:url,doc.emergingthreats.net/2010989; classtype:web-application-attack; sid:2010989; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010990; classtype:web-application-attack; sid:2010990; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010991; classtype:web-application-attack; sid:2010991; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010992; classtype:web-application-attack; sid:2010992; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010993; classtype:web-application-attack; sid:2010993; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010994; classtype:web-application-attack; sid:2010994; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_communitypolls&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,www.exploit-db.com/exploits/11511; reference:url,doc.emergingthreats.net/2010996; classtype:web-application-attack; sid:2010996; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/smallaxe-0.3.1/inc/linkbar.php?"; nocase; http_uri; content:"cfile="; nocase; http_uri; pcre:"/cfile\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10676; reference:url,doc.emergingthreats.net/2011000; classtype:web-application-attack; sid:2011000; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011001; classtype:web-application-attack; sid:2011001; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011002; classtype:web-application-attack; sid:2011002; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011003; classtype:web-application-attack; sid:2011003; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011004; classtype:web-application-attack; sid:2011004; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rsgallery2&"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011005; classtype:web-application-attack; sid:2011005; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/wp-content/plugins/nextgen-gallery/xml/media-rss.php"; nocase; uricontent:"mode="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.coresecurity.com/content/nextgen-gallery-xss-vulnerability; reference:cve,2010-1186; reference:url,doc.emergingthreats.net/2011006; classtype:web-application-attack; sid:2011006; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; distance:0; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,doc.emergingthreats.net/2011007; classtype:attempted-user; sid:2011007; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; file_data; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; content:"launch"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; classtype:attempted-user; sid:2011010; rev:7;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; content:"ILMI"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011011; classtype:attempted-admin; sid:2011011; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; flow:to_server,established; content:"ILMI"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011012; classtype:attempted-admin; sid:2011012; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; content:"cable-docsis"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011013; classtype:attempted-admin; sid:2011013; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; flow:to_server,established; content:"cable-docsis"; nocase; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011014; classtype:attempted-admin; sid:2011014; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; http_method; content:"Connection|3A| Close"; nocase; content:"Lock-token|3A|"; nocase; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; reference:url,doc.emergingthreats.net/2011015; classtype:web-application-attack; sid:2011015; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_jcalpro/cal_popup.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt; reference:url,doc.emergingthreats.net/2011017; classtype:web-application-attack; sid:2011017; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/gallery2/lib/adodb/adodb-error.inc.php?"; nocase; http_uri; content:"ADODB_LANG="; nocase; http_uri; pcre:"/ADODB_LANG\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/10705; reference:url,doc.emergingthreats.net/2011018; classtype:web-application-attack; sid:2011018; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Comtrend ADSL Router srvName parameter XSS attempt"; flow:established,to_server; content:"GET"; http_method; content:"/scvrtsrv.cmd?"; nocase; http_uri; content:"srvName="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,packetstorm.foofus.com/1001-exploits/comtrend-xss.txt; reference:url,xforce.iss.net/xforce/xfdb/47765; reference:url,doc.emergingthreats.net/2011019; classtype:web-application-attack; sid:2011019; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011022; classtype:web-application-attack; sid:2011022; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011023; classtype:web-application-attack; sid:2011023; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011024; classtype:web-application-attack; sid:2011024; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011025; classtype:web-application-attack; sid:2011025; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_blog&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011026; classtype:web-application-attack; sid:2011026; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; content:"GET"; http_method; content:"C|3a|/WINDOWS/system32/calc.exe"; fast_pattern:only; http_header; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; content:"User-Agent|3a| "; http_header; content:" Netsparker)|0d 0a|"; http_header; fast_pattern; within:200; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; content:"/Netsparker-"; http_uri; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; content:"BULK"; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"VERSION"; nocase; http_uri; distance:1; reference:url,support.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; http_uri; content:"VALUES"; nocase; http_uri; pcre:"/INSERT.+VALUES/Ui"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; classtype:web-application-attack; sid:2011039; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; content:"BENCHMARK("; nocase; http_uri; content:")"; http_uri; pcre:"/BENCHMARK\x28[0-9].+\x29/Ui"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; classtype:web-application-attack; sid:2011041; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"CONCAT"; nocase; http_uri; pcre:"/SELECT.+CONCAT/Ui"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011044; classtype:web-application-attack; sid:2011044; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011045; classtype:web-application-attack; sid:2011045; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011046; classtype:web-application-attack; sid:2011046; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011047; classtype:web-application-attack; sid:2011047; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/content/themes/softsaurus_default/pages/subHeader.php?"; nocase; uricontent:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011051; classtype:web-application-attack; sid:2011051; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/content/themes/softsaurus_stretched/pages/subHeader.php?"; nocase; uricontent:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011052; classtype:web-application-attack; sid:2011052; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt"; flow:established,to_server; content:"_invoice.asp"; nocase; http_uri; content:"script>"; nocase; http_uri; pcre:"/(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.coresecurity.com/content/cactushop-xss-persistent-vulnerability; reference:cve,2010-1486; reference:url,doc.emergingthreats.net/2011054; classtype:web-application-attack; sid:2011054; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011057; classtype:web-application-attack; sid:2011057; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011058; classtype:web-application-attack; sid:2011058; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011059; classtype:web-application-attack; sid:2011059; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011060; classtype:web-application-attack; sid:2011060; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/jtfwcpnt.jsp?"; nocase; uricontent:"query="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011061; classtype:web-application-attack; sid:2011061; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/velid3/getid3.php?"; nocase; http_uri; content:"determined_format[include]="; nocase; http_uri; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011062; classtype:web-application-attack; sid:2011062; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/velid3/module.archive.gzip.php?"; nocase; http_uri; content:"determined_format[include]="; nocase; http_uri; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011063; classtype:web-application-attack; sid:2011063; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cgi/surgeftpmgr.cgi?"; nocase; uricontent:"cmd=class&"; nocase; uricontent:"classid="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/38097; reference:url,packetstormsecurity.org/1001-exploits/surgeftp-xss.txt; reference:url,doc.emergingthreats.net/2011065; classtype:web-application-attack; sid:2011065; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_wgpicasa&"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/39467; reference:url,exploit-db.com/exploits/12230; reference:url,doc.emergingthreats.net/2011067; classtype:web-application-attack; sid:2011067; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; uricontent:"postid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011071; classtype:web-application-attack; sid:2011071; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fruspam polling for IP likely infected"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/automation/n09230945.asp"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (X11|3b| U|3b| Linux i686|3b| en-US|3b| rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0|0d 0a|"; http_header; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/_layouts/help.aspx"; nocase; http_uri; content:"cid0="; nocase; http_uri; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; classtype:web-application-attack; sid:2011073; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011077; classtype:web-application-attack; sid:2011077; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011078; classtype:web-application-attack; sid:2011078; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011079; classtype:web-application-attack; sid:2011079; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011080; classtype:web-application-attack; sid:2011080; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_gbufacebook&"; nocase; http_uri; content:"face_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011081; classtype:web-application-attack; sid:2011081; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/queuedMessage.do?"; nocase; http_uri; content:"method=getQueueMessages&"; nocase; http_uri; content:"queueMsgType="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011082; classtype:web-application-attack; sid:2011082; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/queuedMessage.do?"; nocase; http_uri; content:"method=getQueueMessages&"; nocase; http_uri; content:"QtnType="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011083; classtype:web-application-attack; sid:2011083; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Flystud"; flow:to_server,established; content:"loading.html?fn="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&clientid="; nocase; http_uri; content:"channel="; nocase; http_uri; content:"&stn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011086; classtype:trojan-activity; sid:2011086; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:trojan-activity; sid:2011087; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND"; http_method; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|>"; fast_pattern:only; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; content:"User-Agent|3a| DAV.pm/v"; http_header; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent Recuva (Recuva)"; flow:to_server,established; content:"User-Agent|3a| Recuva|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011090; reference:url,www.piriform.com/; classtype:trojan-activity; sid:2011090; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011091; classtype:web-application-attack; sid:2011091; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011092; classtype:web-application-attack; sid:2011092; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011093; classtype:web-application-attack; sid:2011093; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011094; classtype:web-application-attack; sid:2011094; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/WorkOrder.do?"; nocase; http_uri; content:"woID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011095; classtype:web-application-attack; sid:2011095; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/datumscalc.php?"; nocase; http_uri; content:"kal_class_path="; nocase; http_uri; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011096; classtype:web-application-attack; sid:2011096; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/monatsblatt.php?"; nocase; http_uri; content:"kal_class_path="; nocase; http_uri; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011097; classtype:web-application-attack; sid:2011097; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/last_gallery.php?"; nocase; uricontent:"YAPIG_PATH="; nocase; pcre:"/YAPIG_PATH=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/11708; reference:url,doc.emergingthreats.net/2011098; classtype:web-application-attack; sid:2011098; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/modules/dfss/lgsl/lgsl_players.php?"; nocase; http_uri; content:"lgsl_path="; nocase; http_uri; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011099; classtype:web-application-attack; sid:2011099; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/modules/dfss/lgsl/lgsl_settings.php?"; nocase; http_uri; content:"lgsl_path="; nocase; http_uri; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011100; classtype:web-application-attack; sid:2011100; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:trojan-activity; sid:2011101; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Exploit kit attack activity likely hostile"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/oH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011104; classtype:trojan-activity; sid:2011104; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:trojan-activity; sid:2011105; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (lineguide)"; flow:to_server,established; content:"User-Agent|3a| lineguide"; nocase; http_header; reference:url,doc.emergingthreats.net/2011106; classtype:trojan-activity; sid:2011106; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt"; flow:established,to_server; uricontent:"/wp-content/plugins/wp-cumulus/tagcloud.swf"; nocase; uricontent:"mode=tags"; nocase; uricontent:"tagcloud="; nocase; pcre:"/tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,doc.emergingthreats.net/2011107; classtype:web-application-attack; sid:2011107; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011110; classtype:web-application-attack; sid:2011110; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011111; classtype:web-application-attack; sid:2011111; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 9090 (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011112; classtype:web-application-attack; sid:2011112; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Business Objects Crystal Reports Web Form Viewer Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/crystalreportviewers/crystalimagehandler.aspx?"; nocase; http_uri; content:"dynamicimage="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/11803/; reference:bugtraq,10260; reference:url,doc.emergingthreats.net/2011113; classtype:web-application-attack; sid:2011113; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/Aris/wflogin.jsp?"; nocase; http_uri; content:"errmsg="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,38441; reference:url,secunia.com/advisories/38793; reference:url,doc.emergingthreats.net/2011114; classtype:web-application-attack; sid:2011114; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/frontend/x3/files/fileop.html?"; nocase; uricontent:"fileop="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,37394; reference:url,vupen.com/english/advisories/2009/3608; reference:url,doc.emergingthreats.net/2011115; classtype:web-application-attack; sid:2011115; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/core/includes/gfw_smarty.php?"; nocase; http_uri; content:"config[gfwroot]="; nocase; http_uri; pcre:"/config\[gfwroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12488; reference:bugtraq,39890; reference:url,doc.emergingthreats.net/2011116; classtype:web-application-attack; sid:2011116; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/user/User_ChkLogin.asp?"; nocase; uricontent:"ComeUrl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39696; reference:url,secunia.com/advisories/39627; reference:url,doc.emergingthreats.net/2011117; classtype:web-application-attack; sid:2011117; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save|0d 0a|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Phoenix Exploit Kit Facebook phishing page payload could be ZeuS"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LoginFacebook.php"; http_uri; pcre:"/\/[a-z]{2}[0-9]{3}[a-z]{2}\/LoginFacebook\.php$/U"; reference:url,malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html; reference:url,doc.emergingthreats.net/2011121; classtype:trojan-activity; sid:2011121; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; content:"REVERSE"; fast_pattern:only; nocase; http_uri; pcre:"/[^\w]REVERSE[^\w]?\(/Ui"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; classtype:web-application-attack; sid:2011122; rev:4;) alert tcp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; flowbits:isnotset,ET.pdf.in.http; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; content:"User-Agent|3a| MxAgent"; nocase; http_header; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; content:"User-Agent|3a| |5f|InTeRNeT"; http_header; reference:url,doc.emergingthreats.net/2011127; classtype:trojan-activity; sid:2011127; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11845; reference:url,doc.emergingthreats.net/2011131; classtype:web-application-attack; sid:2011131; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/administrator/components/com_universal/includes/config/config.html.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/11865; reference:bugtraq,38949; reference:url,doc.emergingthreats.net/2011132; classtype:web-application-attack; sid:2011132; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011133; classtype:web-application-attack; sid:2011133; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011134; classtype:web-application-attack; sid:2011134; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011135; classtype:web-application-attack; sid:2011135; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011136; classtype:web-application-attack; sid:2011136; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/links.php?"; nocase; uricontent:"op=viewslink&"; nocase; uricontent:"sid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011137; classtype:web-application-attack; sid:2011137; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XAMPP showcode.php TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"/xampp/showcode.php?"; nocase; uricontent:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert| $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS XAMPP xamppsecurity.phpp TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; uricontent:"/xampp/xamppsecurity.php?"; nocase; uricontent:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert| $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jeajaxeventcalendar&"; nocase; http_uri; content:"view="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/12598; reference:url,doc.emergingthreats.net/2011140; classtype:web-application-attack; sid:2011140; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; content:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011141; classtype:attempted-recon; sid:2011141; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; classtype:attempted-recon; sid:2011142; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; classtype:attempted-recon; sid:2011143; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; fast_pattern:only; http_uri; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; classtype:attempted-recon; sid:2011144; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; content:"/imc/login.jsf"; nocase; http_uri; content:"loginForm"; nocase; http_uri; content:"javax.faces.ViewState="; nocase; http_uri; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; classtype:web-application-attack; sid:2011145; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; content:"User-Agent|3a| Download Master"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:policy-violation; sid:2011146; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Malware Download Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/GR_OLD_CR.EXE"; nocase; http_uri; reference:url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html; reference:url,doc.emergingthreats.net/2011148; classtype:trojan-activity; sid:2011148; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (webcount)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| webcount"; http_header; reference:url,doc.emergingthreats.net/2011149; classtype:trojan-activity; sid:2011149; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt"; flow:established,to_server; content:"/verify/asp/n6plugindestructor.asp?"; nocase; http_uri; content:"backurl="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39999; reference:url,juniper.net/security/auto/vulnerabilities/vuln39999.html; reference:url,doc.emergingthreats.net/2011152; classtype:web-application-attack; sid:2011152; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/WorkArea/reterror.aspx?"; nocase; http_uri; content:"info="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011153; classtype:web-application-attack; sid:2011153; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/workarea/medialist.aspx?"; nocase; http_uri; content:"selectids="; nocase; http_uri; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011154; classtype:web-application-attack; sid:2011154; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/roleManager.jsp?"; nocase; uricontent:"type=query&"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011155; classtype:web-application-attack; sid:2011155; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/roleManager.jsp?"; nocase; uricontent:"type=query&"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011156; classtype:web-application-attack; sid:2011156; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/roleManager.jsp?"; nocase; uricontent:"type=query&"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011157; classtype:web-application-attack; sid:2011157; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/roleManager.jsp?"; nocase; http_uri; content:"type=query&"; http_uri; nocase; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011158; classtype:web-application-attack; sid:2011158; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/roleManager.jsp?"; nocase; http_uri; content:"type=query&"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011159; classtype:web-application-attack; sid:2011159; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/includes/hnmain.inc.php3?"; nocase; http_uri; content:"config[incdir]="; nocase; http_uri; pcre:"/config\[incdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/11731; reference:url,exploit-db.com/exploits/12160; reference:url,doc.emergingthreats.net/2011161; classtype:web-application-attack; sid:2011161; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern:only; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/page/pageDescriptionObject.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011164; reference:cve,2010-1922; classtype:web-application-attack; sid:2011164; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/layout/layoutHeaderFuncs.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011165; classtype:web-application-attack; sid:2011165; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/layout/layoutParser.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011167; classtype:web-application-attack; sid:2011167; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011168; classtype:web-application-attack; sid:2011168; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011169; classtype:web-application-attack; sid:2011169; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011170; classtype:web-application-attack; sid:2011170; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011171; classtype:web-application-attack; sid:2011171; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/friend.php?"; nocase; uricontent:"op=FriendSend&"; nocase; uricontent:"sid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011172; classtype:web-application-attack; sid:2011172; rev:2;) alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp|3a|//"; fast_pattern; nocase; distance:0; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:13;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; content:"User-Agent|3a| czxt2s|0d 0a|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2011174; classtype:web-application-attack; sid:2011174; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; content:"User-Agent|3a| Casper Bot Search|0D 0A|"; fast_pattern:only; nocase; http_header; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Checkin - MSCommonInfoEx"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/MSCommonInfoEx.php"; http_uri; reference:url,doc.emergingthreats.net/2011179; classtype:trojan-activity; sid:2011179; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Phoenix Exploit Kit VBscript download"; flow:established,to_client; content:"Createobject(StrReverse("; nocase; content:"|22|tcejbOmetsySeliF.gnitpircS|22|))"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,doc.emergingthreats.net/2011184; classtype:trojan-activity; sid:2011184; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nine Ball Infection ya.ru Post"; flow:established,to_server; content:"POST /"; nocase; depth:6; content:"/gate/"; http_uri; content:".php"; http_uri; content:"|0d 0a 0d 0a|"; content:"ya.ru/"; fast_pattern; distance:67; within:6; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011186; classtype:trojan-activity; sid:2011186; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nine Ball User-Agent Detected (NQX315)"; flow:established,to_server; content:"User-Agent|3a| NQX315|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011188; classtype:trojan-activity; sid:2011188; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/cindefn.php"; nocase; http_uri; content:"INDEX="; nocase; http_uri; pcre:"/INDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011190; classtype:web-application-attack; sid:2011190; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/power_management_policy_options.php"; nocase; http_uri; content:"domain="; nocase; http_uri; pcre:"/domain\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011191; classtype:web-application-attack; sid:2011191; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/pm_temp.php"; nocase; http_uri; content:"view="; nocase; http_uri; content:"mod_type="; nocase; http_uri; content:"slot="; nocase; http_uri; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011192; classtype:web-application-attack; sid:2011192; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/power_module.php"; nocase; http_uri; content:"view="; nocase; http_uri; content:"mod_type="; nocase; http_uri; content:"slot="; nocase; http_uri; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011193; classtype:web-application-attack; sid:2011193; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/blade_leds.php"; nocase; http_uri; content:"WEBINDEX="; nocase; http_uri; pcre:"/WEBINDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011194; classtype:web-application-attack; sid:2011194; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/private/ipmi_bladestatus.php"; nocase; http_uri; content:"SLOT="; nocase; http_uri; pcre:"/SLOT\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011195; classtype:web-application-attack; sid:2011195; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid ICount Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"ICount="; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-085/; reference:cve,2010-1554; reference:url,doc.emergingthreats.net/2011196; classtype:web-application-attack; sid:2011196; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid MaxAge Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"MaxAge="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-084/; reference:cve,2010-1553; reference:url,doc.emergingthreats.net/2011197; classtype:web-application-attack; sid:2011197; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid Hostname Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"Hostname="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-086/; reference:cve,2010-1555; reference:url,doc.emergingthreats.net/2011198; classtype:web-application-attack; sid:2011198; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET TROJAN Outbound AVISOSVB MSSQL Request"; flow:established,to_server; content:"|54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00|"; reference:url,www.threatexpert.com/report.aspx?md5=1f5b6d6d94cc6272c937045e22e6d192; reference:url,doc.emergingthreats.net/2011199; classtype:trojan-activity; sid:2011199; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/iR"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/admin/device_admin.php?"; nocase; uricontent:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; reference:url,doc.emergingthreats.net/2011209; classtype:web-application-attack; sid:2011209; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaInit.php?"; nocase; http_uri; content:"pathForArdeaCore="; nocase; http_uri; pcre:"/pathForArdeaCore=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,40811; reference:url,vupen.com/english/advisories/2010/1444; reference:url,exploit-db.com/exploits/13832/; reference:url,doc.emergingthreats.net/2011214; classtype:web-application-attack; sid:2011214; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011215; classtype:web-application-attack; sid:2011215; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011216; classtype:web-application-attack; sid:2011216; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011217; classtype:web-application-attack; sid:2011217; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011218; classtype:web-application-attack; sid:2011218; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/campsiteattachment/attachments.php?"; nocase; http_uri; content:"article_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011219; classtype:web-application-attack; sid:2011219; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| AskInstall"; nocase; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou Toolbar Checkin"; flow:to_server,established; content:"/seversion.txt"; http_uri; content:"User-Agent|3a| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"; flow:to_server,established; content:"User-Agent|3a| NSIS|5f|Inetc |28|Mozilla|29|"; http_header; reference:url,doc.emergingthreats.net/2011227; classtype:trojan-activity; sid:2011227; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:trojan-activity; sid:2011229; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P p2p Related User-Agent (eChanblard)"; flow:to_server,established; content:"User-Agent|3a| eChanblard|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011232; classtype:trojan-activity; sid:2011232; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cosmu Process Dump Report"; flow:established,to_server; content:"] Dumping processes {|0d 0a|"; reference:url,doc.emergingthreats.net/2011234; classtype:trojan-activity; sid:2011234; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader Win32.Genome.avan"; flow:to_server,established; content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|SP3 WINLD|29 0d 0a|"; http_header; fast_pattern:23,14; reference:url,doc.emergingthreats.net/2011238; classtype:trojan-activity; sid:2011238; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET"; http_method; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork)"; flow:established,to_server; content:"User-Agent|3a| plaNETWORK Bot Search"; fast_pattern:only; nocase; http_header; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011243; classtype:web-application-attack; sid:2011243; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; fast_pattern:only; nocase; http_header; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; file_data; content:"%PDF-"; depth:300; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; content:"User-Agent|3a| Forthgoer"; http_header; reference:url,doc.emergingthreats.net/2011247; classtype:trojan-activity; sid:2011247; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| XieHongWei"; http_header; reference:url,doc.emergingthreats.net/2011248; classtype:trojan-activity; sid:2011248; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/addons/version/pages/index.inc.php?"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011254; classtype:web-application-attack; sid:2011254; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/pages/specials.inc.php?"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011255; classtype:web-application-attack; sid:2011255; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/firestats/php/window-add-excluded-ip.php?"; nocase; http_uri; content:"edit="; nocase; http_uri; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011256; classtype:web-application-attack; sid:2011256; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/firestats/php/window-add-excluded-url.php?"; nocase; http_uri; content:"edit="; nocase; http_uri; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011257; classtype:web-application-attack; sid:2011257; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/firestats/php/window-new-edit-site.php?"; nocase; http_uri; content:"site_id="; nocase; http_uri; pcre:"/site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011258; classtype:web-application-attack; sid:2011258; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/includes/file_manager/special.php?"; nocase; http_uri; content:"fm_includes_special="; nocase; http_uri; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.exploit-db.com/exploits/9350/; reference:url,vupen.com/english/advisories/2009/2136; reference:url,doc.emergingthreats.net/2011259; classtype:web-application-attack; sid:2011259; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011262; classtype:web-application-attack; sid:2011262; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011263; classtype:web-application-attack; sid:2011263; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011264; classtype:web-application-attack; sid:2011264; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011265; classtype:web-application-attack; sid:2011265; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011266; classtype:web-application-attack; sid:2011266; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/faces/jsf/tips.jsp?"; nocase; uricontent:"context="; nocase; pcre:"/context\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/14369/; reference:url,secunia.com/advisories/40605; reference:url,doc.emergingthreats.net/2011268; classtype:web-application-attack; sid:2011268; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET TROJAN Downloader.Win32.Small CnC Beacon"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"User-Agent|3a| MSDN SurfBear|0d 0a|"; reference:url,doc.emergingthreats.net/2011269; classtype:trojan-activity; sid:2011269; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (CustomSpy)"; flow:to_server,established; content:"User-Agent|3a| |28|CustomSpy|29 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011271; classtype:trojan-activity; sid:2011271; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Chekafe.A or Related Infection Checkin"; flow:established,to_server; content:"isInst="; http_uri; content:"lockcode="; http_uri; content:"PcType="; http_uri; content:"AvName="; http_uri; content:"ProCount="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32/Chekafe.A; reference:url,doc.emergingthreats.net/2011272; classtype:trojan-activity; sid:2011272; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/libraries/lib-remotehost.inc.php?"; nocase; uricontent:"phpAds_geoPlugin="; nocase; pcre:"/phpAds_geoPlugin=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14432/; reference:url,inj3ct0r.com/exploits/13426; reference:url,doc.emergingthreats.net/2011274; classtype:web-application-attack; sid:2011274; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (InfoBot)"; flow:to_server,established; content:"User-Agent|3a| InfoBot"; http_header; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"in.php?affid="; http_uri; content:"&url="; http_uri; content:"&win="; http_uri; content:"&sts="; http_uri; reference:url,doc.emergingthreats.net/2011277; classtype:trojan-activity; sid:2011277; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Cosmu.xet CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"GoGo.ashx?Mac="; http_uri; content:"&UserId="; http_uri; content:"&Bate="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=f39554f3afe92dca3597efc1f7709ad4; classtype:trojan-activity; sid:2011278; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (browserbob.com)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made with www.browserbob.com|29|"; fast_pattern:68,20; http_header; classtype:trojan-activity; sid:2011279; rev:3;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET WEB_SERVER Phoenix Exploit Kit - Admin Login Page Detected Outbound"; flow:established,to_client; content:"Phoenix Exploit's Kit - Log In"; classtype:bad-unknown; sid:2011280; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"Phoenix Exploit's Kit - Log In"; file_data; classtype:bad-unknown; sid:2011281; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| ScrapeBox"; http_header; classtype:trojan-activity; sid:2011282; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:17,20; http_header; classtype:trojan-activity; sid:2011283; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; content:"User-Agent|3a| Jcomers Bot scan"; fast_pattern:only; nocase; http_header; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011285; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"User-Agent|3a| MaMa "; fast_pattern:only; nocase; http_header; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:""; nocase; content:""; nocase; distance:0; content:""; nocase; distance:0; content:"21"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:2;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:2;) alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; nocase; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest"; http_header; nocase; content:!"www.trendmicro.com"; http_header; flowbits:set,ET.GOOTKIT; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:trojan-activity; sid:2011293; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.FraudPack.aweo"; flow:established,to_server; content:"GET"; http_method; content:"update.php?do="; http_uri; content:"&coid="; http_uri; content:"&IP="; http_uri; content:"&fff="; http_uri; content:"&lct="; http_uri; content:"&ttt="; http_uri; content:"&v="; reference:url,www.threatexpert.com/report.aspx?md5=4bc4c32a8d93c29b026bbfb24ccecd14; classtype:trojan-activity; sid:2011294; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:trojan-activity; sid:2011297; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stuxnet index.php"; flow:to_server,established; content:"/index.php?data=66a96e28"; http_uri; nocase; reference:url,research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html; classtype:trojan-activity; sid:2011300; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/auto_update/HideMyIP/update.dat"; http_uri; nocase; classtype:policy-violation; sid:2011311; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; http_uri; nocase; content:"cache="; http_uri; nocase; content:"OvJavaLocale="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; file_data; content:"PDF-"; within:4; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; http_header; classtype:bad-unknown; sid:2011334; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Keatep.B Checkin"; flow:established,to_server; content:"&id="; nocase; http_uri; content:"&v="; http_uri; fast_pattern; pcre:"/\?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Keatep.B; reference:md5,239aacf49bb6381fd71841fda4d4ee58; classtype:trojan-activity; sid:2011336; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sality Variant Downloader Activity (2)"; flow:established,to_server; content:"/?rnd="; http_uri; nocase; content:"&id="; http_uri; pcre:"/\/\?rnd=\d+&id=\d+$/U"; reference:url,www.threatexpert.com/report.aspx?md5=76cf08503cdd036850bcc4f29f64022f; reference:url,www.threatexpert.com/report.aspx?md5=579f2e29434218d62d31625d369cbc42; classtype:trojan-activity; sid:2011337; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sality Variant Downloader Activity (3)"; flow:established,to_server; content:"/?id"; nocase; http_uri; content:"&rnd="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Windows NT"; http_header; pcre:"/\/\?id(\d+)?&rnd=\d+$/U"; reference:url,www.threatexpert.com/report.aspx?md5=438bcb3c4a304b65419674ce8775d8a3; classtype:trojan-activity; sid:2011338; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"nvidia.com|0d 0a|"; http_header; content:!"dc.services.visualstudio.com|0d 0a|"; http_header; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; http_client_body; content:!".avg.com|0d 0a|"; http_header; content:!"bitdefender.net|0d 0a|"; http_header; content:!"svc.iolo.com|0d 0a|"; http_header; content:!".lavasoft.com"; http_header; classtype:trojan-activity; sid:2011341; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow: to_client,established; file_data; content:"Initializing Virus Protection System..."; distance:0; classtype:bad-unknown; sid:2011343; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV SetupSecure Download Attempt SetupSecure"; flow:established,to_server; content:"/download/SetupSecure_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com; classtype:trojan-activity; sid:2011357; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/wizards/common/_logintowizard.cfm"; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/archives/index.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011359; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/entman/index.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/enter.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; content:"POST"; http_method; nocase; content:"[System Process]|0a|"; http_client_body; depth:17; classtype:trojan-activity; sid:2011364; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host checkin"; flow:established,to_server; content:"/search"; http_uri; depth:7; content:"?fr=altavista&itag="; depth:28; http_uri; content:"&kls="; http_uri; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2011365; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stupid Stealer C&C Communication (1)"; flow:established,to_server; content:"cmd=give&pcname="; nocase; http_uri; content:"&status="; http_uri; nocase; pcre:"/cmd=give&pcname=.+&status=\d+$/U"; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:trojan-activity; sid:2011370; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stupid Stealer C&C Communication (2)"; flow:established,to_server; content:"action=add"; nocase; http_uri; content:"&status="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&pcname="; http_uri; nocase; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:trojan-activity; sid:2011371; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow: to_server,established; content:".co.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011374; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cz.cc domain"; flow: to_server,established; content:".cz.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011375; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/com_del.php?"; nocase; uricontent:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/13665; classtype:web-application-attack; sid:2011377; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011378; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; http_uri; nocase; content:"orderid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011380; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011381; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011382; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/csstidy/css_optimiser.php?"; nocase; http_uri; content:"url="; nocase; http_uri; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; classtype:web-application-attack; sid:2011383; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/includes/file_manager/special.php?"; nocase; http_uri; content:"fm_includes_special="; http_uri; nocase; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/5609; reference:url,vupen.com/english/advisories/2009/2136; classtype:web-application-attack; sid:2011384; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_noticeboard"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/12427; classtype:web-application-attack; sid:2011385; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN indux.php check-in"; flow:established,to_server; content:"/indux.php?U="; nocase; http_uri; fast_pattern:only; content:"@"; http_uri; content:"Referer|3a| http|3a|//www.google.com|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2011387; rev:3;) alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; content:"/w3af/remoteFileInclude.html"; http_uri; nocase; content:"Host|3A| w3af.sourceforge.net"; http_header; nocase; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:3;) alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; content:"/rfiinc.txt"; http_uri; content:"Host|3A| cirt.net"; http_header; nocase; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|command="; fast_pattern; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| http-get-demo"; http_header; classtype:trojan-activity; sid:2011392; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer 6.0"; http_header; classtype:trojan-activity; sid:2011393; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN wisp backdoor detected reporting"; flow:established,to_server; content:"getkys.kys"; nocase; http_uri; content:"hostname="; nocase; http_uri; classtype:trojan-activity; sid:2011395; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeYak or Related Infection Checkin 1"; flow:established,to_server; content:"&fff="; http_uri; content:"&coid="; http_uri; content:"do="; http_uri; content:"&IP="; nocase; http_uri; content:"lct="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:trojan-activity; sid:2011396; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeYak or Related Infection Checkin 2"; flow:established,to_server; content:"&fff="; http_uri; content:"&coid="; http_uri; content:"saf="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:trojan-activity; sid:2011397; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Execute DDoS Command From CnC Server"; flow:established,from_server; dsize:124; content:"|00 10 00 00|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011398; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011399; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server"; flow:established,from_server; dsize:124; content:"|80 04 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011400; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/gnupg/json.php?"; nocase; uricontent:"task=send_key"; nocase; uricontent:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/Ui"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Small.gen!AQ Communication with Controller"; flow:established,to_server; content:"?uid="; nocase; http_uri; fast_pattern; content:"&action="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&b="; nocase; http_uri; pcre:"/\?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$/U"; reference:url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html; reference:url,www.threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb; reference:url,www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053; classtype:trojan-activity; sid:2011414; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV landing page - sector.hdd.png no-repeat"; flow:established,to_client; content:"sector.hdd.png) no-repeat"; fast_pattern:only; classtype:bad-unknown; sid:2011419; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Modified Sipvicious OPTIONS Scan"; content:"OPTIONS "; depth:8; content:"ccxllrlflgig|22| $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cacti/utilities.php"; nocase; uricontent:"tail_lines="; nocase; uricontent:"message_type="; nocase; uricontent:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command"; flow:established,to_server; content:"sp_configure"; http_uri; nocase; reference:url,technet.microsoft.com/en-us/library/ms188787.aspx; reference:url,technet.microsoft.com/en-us/library/ms190693.aspx; classtype:web-application-attack; sid:2011424; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011426; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011427; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011428; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011429; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classified_img.php?"; nocase; uricontent:"clsid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011450; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_jgrid"; nocase; uricontent:"controller="; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/40987/; reference:url,exploit-db.com/exploits/14656/; classtype:web-application-attack; sid:2011451; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/dailyview.php?"; nocase; uricontent:"date="; nocase; pcre:"/date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13770; classtype:web-application-attack; sid:2011452; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/maincore.php?"; nocase; uricontent:"folder_level="; nocase; content:"../"; depth:200; reference:url,inj3ct0r.com/exploits/13709; classtype:web-application-attack; sid:2011453; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/global.php?"; nocase; uricontent:"db_servertype="; nocase; pcre:"/db_servertype=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND "; fast_pattern:only; content:"PROPFIND"; http_method; nocase; flowbits:set,ET_PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/csh"; nocase; http_uri; classtype:web-application-attack; sid:2011464; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/sh"; fast_pattern:only; http_uri; nocase; classtype:web-application-attack; sid:2011465; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/tsh"; http_uri; nocase; classtype:web-application-attack; sid:2011466; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; content:"/bin/ksh"; http_uri; nocase; classtype:web-application-attack; sid:2011467; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daurso FTP Credential Theft Reported"; flow:to_server,established; content:"/receiver/ftp"; http_uri; nocase; content:"|0d 0a 0d 0a|ftp_uri_0="; nocase; content:"&ftp_source_0="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7; reference:url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011470; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daurso Checkin"; flow:established,to_server; content:"POST"; http_method; content:"receiver/online"; http_uri; content:"|0d 0a 0d 0a|guid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7; reference:url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011471; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8081:8090 (msg:"ET TROJAN Antivirus2010 Checkin port 8082"; flow:established,to_server; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:trojan-activity; sid:2011473; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IMDDOS Botnet User-Agent STORMDDOS"; flow: established,to_server; content:"User-Agent|3A| STORMDDOS"; nocase; http_header; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011480; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IMDDOS Botnet User-Agent IAMDDOS"; flow: established,to_server; content:"User-Agent|3A| IAMDDOS"; nocase; http_header; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011481; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IMDDOS Botnet User-Agent kav"; flow: established,to_server; content:"User-Agent|3A| kav"; http_header; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011482; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IMDDOS Botnet User-Agent YTDDOS"; flow: established,to_server; content:"User-Agent|3A| YTDDOS"; nocase; http_header; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011483; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Meredrop/Nusump Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&co="; http_uri; content:"&us="; http_uri; content:"&os="; http_uri; content:"&vr="; http_uri; content:"&dt="; http_uri; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857; reference:url,www.threatexpert.com/report.aspx?md5=ef0616d75bd892ed69fe22a510079686; reference:url,www.threatexpert.com/report.aspx?md5=463cdec2df12a04d6ea1d015746ee950; classtype:trojan-activity; sid:2011489; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Zlob.bgs Checkin(1)"; flow:established,to_server; content:"GET"; http_header; content:"/gatech.php?pn="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4; classtype:trojan-activity; sid:2011490; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Zlob.bgs Checkin(2)"; flow:established,to_server; content:"GET"; http_method; content:"/gatech.php?id="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4; classtype:trojan-activity; sid:2011491; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Adware.Kraddare Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"strID="; http_uri; content:"strPC="; http_uri; classtype:trojan-activity; sid:2011492; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt"; flow:established,to_server; uricontent:"/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011493; classtype:web-application-attack; sid:2011493; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files "; flow:established,to_server; uricontent:"/admin/plugins/videoReport/lib/tmp-upload-images"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011494; classtype:web-application-attack; sid:2011494; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Hydra User-Agent"; flow: established,to_server; content:"User-Agent|3A| Mozilla/4.0 (Hydra)"; nocase; http_header; fast_pattern:23,8; threshold: type limit, track by_src,count 1, seconds 60; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; fast_pattern:only; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:""; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1;) alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; fast_pattern; nocase; within:100; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With eval Function - Possibly Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"eval|28|"; nocase; distance:0; reference:url,www.w3schools.com/jsref/jsref_eval.asp; classtype:bad-unknown; sid:2011506; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:7;) alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1;) alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)"; http_header; nocase; fast_pattern:48,20; classtype:trojan-activity; sid:2011517; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)"; http_header; nocase; fast_pattern:48,20; classtype:trojan-activity; sid:2011518; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; fast_pattern:only; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Knock.php Shiz or Rohimafo CnC Server Contact URL"; flow:established,to_server; content:"GET"; http_method; nocase; content:"knock.php?n="; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011520; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; content:"/socks.php?"; nocase; http_uri; content:"name="; nocase; http_uri; content:"&port="; http_uri; nocase; pcre:"/port=[1-9]{1,5}/Ui"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011523; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; file_data; content:"PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; file_data; content:"PDF-"; within:4; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; file_data; content:"PDF-"; within:4; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2;) alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; classtype:not-suspicious; sid:2011540; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|"; fast_pattern:only; reference:url,exploit-db.com/download_pdf/15077; classtype:attempted-user; sid:2011543; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:trojan-activity; sid:2011544; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft AskMe que_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/forum_answer.php?"; nocase; uricontent:"que_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/14979/; classtype:web-application-attack; sid:2011547; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/familynews.php?"; nocase; uricontent:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011552; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/settings.php?"; nocase; uricontent:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011553; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_jphone"; nocase; uricontent:"controller="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14964/; classtype:web-application-attack; sid:2011554; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/nmap.php?"; nocase; uricontent:"target="; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011557; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011558; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011559; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011560; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_zoomportfolio"; nocase; uricontent:"view=portfolio"; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011561; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/oldnews_reader.php?"; nocase; uricontent:"lang="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/13899/; classtype:web-application-attack; sid:2011562; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/content/dynpage_load.php?"; nocase; uricontent:"file="; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/41317/; classtype:web-application-attack; sid:2011563; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/class.phpmailer.php?"; nocase; uricontent:"lang_path="; nocase; pcre:"/lang_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14893/; classtype:web-application-attack; sid:2011564; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dompdf.php?"; nocase; uricontent:"input_file="; nocase; pcre:"/input_file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14851/; classtype:web-application-attack; sid:2011565; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/addressbook.cgi?"; nocase; uricontent:"show=search"; nocase; uricontent:"page="; nocase; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13944; classtype:web-application-attack; sid:2011566; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/catalogo.php?"; nocase; uricontent:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; uricontent:"h="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011572; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; uricontent:"src="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011573; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; uricontent:"w="; nocase; content:"../"; depth:200; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011574; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; fast_pattern:only; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSTrojan FakeAV Dropper Activity Observed (1)"; flow:established,to_server; content:"v="; http_uri; nocase; content:"&step="; http_uri; nocase; content:"&hostid="; http_uri; nocase; reference:url,www.abuse.ch/?p=2740; reference:url,www.abuse.ch/?p=2796; reference:url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88; reference:url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011577; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSTrojan FakeAV Dropper Activity Observed (2)"; flow:established,to_server; content:"/getfile.php?r="; http_uri; nocase; content:"&p="; http_uri; nocase; pcre:"/\/getfile\.php\?r=-?\d+&p=/U"; reference:url,www.abuse.ch/?p=2740; reference:url,www.abuse.ch/?p=2796; reference:url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88; reference:url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011578; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"151"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; reference:url,www.oracle.com/technetwork/java/javase/2col/6u85-bugfixes-2298235.html; classtype:bad-unknown; sid:2011582; rev:45;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011584; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot Connectivity Check"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a 20|Mozilla/"; depth:68; content:"|0d 0a|Host|3a| "; distance:0; content:!"|0d 0a|Referer|3a| "; http_header; nocase; content:"|3a| no-cache"; http_header; content:!"/webhp"; http_uri; depth:6; content:!"Host|3a| login.live.com|0d 0a|"; http_header; content:!"google.com|0d 0a|"; http_header; content:!"www.bing.com"; http_header; content:!"yandex.ru|0d 0a|"; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; file_data; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential-Hiloti/FakeAV site access"; flow:established,to_server; uricontent:"?p=p52dcW"; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|ftp|3a|//"; depth:10; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011592; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/lib/layout/layoutManager.php?"; nocase; http_uri; content:"LibDir="; nocase; http_uri; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011666; classtype:web-application-attack; sid:2011666; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; content:"?action=checkPort&port="; http_uri; content:"Java/"; http_header; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; classtype:trojan-activity; sid:2011667; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; content:"Authorization|3a| Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; http_header; content:"/debug.cgi"; http_uri; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt"; flow:established,to_server; content:"/webline/html/admin/wcs/LoginPage.jhtml"; nocase; http_uri; content:"dest="; nocase; http_uri; pcre:"/dest\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.exploit-db.com/exploits/11403/; reference:cve,2010-0641; reference:url,doc.emergingthreats.net/2011676; classtype:web-application-attack; sid:2011676; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; content:"/registerSession.py?"; http_uri; nocase; content:"proj="; http_uri; nocase; content:"&country="; http_uri; nocase; content:"&lang="; http_uri; nocase; content:"&channel="; http_uri; nocase; content:"source="; http_uri; nocase; content:"User-Agent|3a| NSIS_Inetc (Mozilla)"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=af0bbdf6097233e8688c5429aa97bbed; reference:url,doc.emergingthreats.net/2011677; classtype:trojan-activity; sid:2011677; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (HTTP_Query)"; flow:to_server,established; content:"User-Agent|3a| HTTP_Query|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011678; classtype:trojan-activity; sid:2011678; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:trojan-activity; sid:2011679; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; distance:0; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:trojan-activity; sid:2011691; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fragus Exploit Kit Landing"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"hello="; nocase; http_uri; pcre:"/\.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$/Ui"; reference:url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2011693; classtype:trojan-activity; sid:2011693; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"User-Agent|3a 20|"; content:"Windows 3.1"; fast_pattern:only; http_header; content:!"Cisco AnyConnect VPN Agent"; http_header; pcre:"/User-Agent\:[^\n]+Windows 3.1/Hi"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt"; flow:established,to_server; content:"/HtmlAdaptor"; nocase; http_uri; content:"action=inspect"; nocase; http_uri; content:"bean"; nocase; http_uri; content:"name="; http_uri; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011696; classtype:web-application-attack; sid:2011696; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt"; flow:established,to_client; content:"/HtmlAdaptor"; nocase; content:"action=invokeOpByName"; nocase; within:25; content:"DeploymentFileRepository"; nocase; within:80; content:"methodName="; nocase; within:25; content:".war"; nocase; distance:0; content:".jsp"; nocase; distance:0; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011697; classtype:web-application-attack; sid:2011697; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)"; flow:to_server,established; content:"User-Agent|3a| Transmission/"; http_header; reference:url,www.transmissionbt.com; reference:url,doc.emergingthreats.net/2011699; classtype:policy-violation; sid:2011699; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; content:"User-Agent|3a| KTorrent/3"; http_header; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; classtype:policy-violation; sid:2011700; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Opera/10.x)"; flow:to_server,established; content:"User-Agent|3a| Opera BitTorrent, Opera/"; fast_pattern:11,15; http_header; reference:url,www.opera.com; reference:url,doc.emergingthreats.net/2011701; classtype:policy-violation; sid:2011701; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; content:"User-Agent|3a| BitTornado/"; http_header; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; classtype:policy-violation; sid:2011702; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x)"; flow:to_server,established; content:"User-Agent|3a| Enhanced-CTorrent"; fast_pattern:11,18; http_header; reference:url,www.rahul.net/dholmes/ctorrent; reference:url,doc.emergingthreats.net/2011703; classtype:policy-violation; sid:2011703; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; content:"User-Agent|3a| Deluge "; http_header; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; content:"User-Agent|3a| rtorrent/"; http_header; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; classtype:policy-violation; sid:2011705; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; content:"User-Agent|3a| uTorrent"; http_header; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; classtype:policy-violation; sid:2011706; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; content:"User-Agent|3a| Shareaza 2."; http_header; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; classtype:policy-violation; sid:2011707; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)"; flow:to_server,established; content:"User-Agent|3a| Blizzard"; fast_pattern:11,9; http_header; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/2011708; classtype:policy-violation; sid:2011708; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; content:"User-Agent|3a| BitComet/"; http_header; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; content:"User-Agent|3a| ktorrent/2"; http_header; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; classtype:policy-violation; sid:2011711; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; content:"User-Agent|3a| FDM 3."; http_header; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; content:"User-Agent|3a| BTSP/"; http_header; reference:url,doc.emergingthreats.net/2011713; classtype:policy-violation; sid:2011713; rev:4;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; fast_pattern:only; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:trojan-activity; sid:2011718; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"User-Agent|3a| SOGOU_UPDATER|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; content:"GET"; http_method; content:"/hello.html"; http_uri; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| pymills-spider/"; fast_pattern:only; http_header; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/application/views/public/commentform.php?"; nocase; http_uri; content:"tpl_base_dir="; nocase; http_uri; pcre:"/tpl_base_dir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/13890/; reference:url,vupen.com/english/advisories/2010/1497; reference:bugtraq,40881; reference:url,doc.emergingthreats.net/2011725; classtype:web-application-attack; sid:2011725; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011726; classtype:web-application-attack; sid:2011726; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011727; classtype:web-application-attack; sid:2011727; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011728; classtype:web-application-attack; sid:2011728; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011729; classtype:web-application-attack; sid:2011729; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011730; classtype:web-application-attack; sid:2011730; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/html/studentmain.php?"; nocase; uricontent:"session="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011731; classtype:web-application-attack; sid:2011731; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak3 Connect"; content:"|00 00 00 00 02 9d 74 8b 45 aa 7b ef b9 9e fe ad 08 19 ba cf 41 e0 16 a2|"; offset:8; depth:24; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011733; classtype:policy-violation; sid:2011733; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login"; content:"|f4 be 03 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011734; classtype:policy-violation; sid:2011734; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login Replay"; content:"|f4 be 04 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011735; classtype:policy-violation; sid:2011735; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping"; content:"|f4 be 01 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011736; classtype:policy-violation; sid:2011736; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping Reply"; content:"|f4 be 02 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011737; classtype:policy-violation; sid:2011737; rev:3;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login Part 2"; flow:established; content:"|f0 be 05 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011738; classtype:policy-violation; sid:2011738; rev:4;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Channel List"; content:"|f0 be 06 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011739; classtype:policy-violation; sid:2011739; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player List"; content:"|f0 be 07 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011740; classtype:policy-violation; sid:2011740; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login End"; content:"|f0 be 08 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011741; classtype:policy-violation; sid:2011741; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/New Player Joined"; content:"|f0 be 64 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011742; classtype:policy-violation; sid:2011742; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player Left"; content:"|f0 be 65 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011743; classtype:policy-violation; sid:2011743; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Change Status"; content:"|f0 be 30 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011744; classtype:policy-violation; sid:2011744; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Known Player Update"; content:"|f0 be 68 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011745; classtype:policy-violation; sid:2011745; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Disconnect"; content:"|f0 be 2c 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011746; classtype:policy-violation; sid:2011746; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 ACK"; content:"|f1 be|"; depth:2; dsize:16; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011747; classtype:policy-violation; sid:2011747; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Launch"; flow:to_server,established; content:"GET"; http_method; content:"/online_game/launcher_init.php?"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011748; classtype:policy-violation; sid:2011748; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Check for Patch"; flow:to_server,established; content:"GET"; http_method; content:"/online_game/patch.php?"; http_uri; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011749; classtype:policy-violation; sid:2011749; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetConnectionAndGameParams"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"GetConnectionAndGameParams"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011750; classtype:policy-violation; sid:2011750; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request OpenSession"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"OpenSession"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011751; classtype:policy-violation; sid:2011751; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Connect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"Connect"; nocase; http_client_body; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011752; classtype:policy-violation; sid:2011752; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Disconnect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"Disconnect"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011753; classtype:policy-violation; sid:2011753; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetOnlineProfile"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"GetOnlineProfile"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011754; classtype:policy-violation; sid:2011754; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetBuddies"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"GetBuddies"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011755; classtype:policy-violation; sid:2011755; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request SearchNew"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"SearchNew"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011756; classtype:policy-violation; sid:2011756; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request LiveUpdate"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"LiveUpdate"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011757; classtype:policy-violation; sid:2011757; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Ad Report"; flow:to_server,established; content:"GET"; http_method; content:"/online_game/ad_report.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"protocol="; http_uri; content:"author="; http_uri; content:"login="; http_uri; content:"zone="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011758; classtype:policy-violation; sid:2011758; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; content:"GET"; http_method; content:"|0D 0A|Location|3A|"; nocase; http_uri; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; classtype:web-application-attack; sid:2011763; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; sid:2011766; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; classtype:trojan-activity; sid:2011769; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Checkin"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010791; classtype:trojan-activity; sid:2011791; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/refund_request.php?"; nocase; http_uri; content:"orderid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011794; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN carberp check in"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/first.html"; http_uri; content:"id="; http_client_body; content:"os="; http_client_body; content:"plist="; http_client_body; classtype:trojan-activity; sid:2011798; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp checkin task"; flow:established,to_server; content:"/task.php?id="; http_uri; content:"&task="; http_uri; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/U"; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.honeynet.org/node/578; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b; reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44; reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36; classtype:trojan-activity; sid:2011799; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"masterconn.qq.com"; http_header; content:!"Konfabulator"; http_header; content:!"QQPCMgr"; http_header; content:!"QQPCMgr"; http_header; classtype:trojan-activity; sid:2011800; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:" $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"ScriptResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"/WebResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| inspath [path disclosure finder"; http_header; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; content:"GET"; http_method; content:"varhttp|3A|/"; http_uri; nocase; content:"wwwhttp|3A|/"; http_uri; nocase; content:"htmlhttp|3A|/"; http_uri; nocase; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fa078834dd3b4c6604d12823a6f9f17e; classtype:trojan-activity; sid:2011820; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; fast_pattern:only; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MUROFET/Licat Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/news/?s="; http_uri; pcre:"/news\/\?s=\d{1,6}$/U"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:trojan-activity; sid:2011825; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Xilcter/Zeus related malware dropper reporting in"; flow:established,to_server; content:"subid="; http_uri; content:"br="; http_uri; content:"os="; http_uri; content:"flg="; http_uri; classtype:trojan-activity; sid:2011827; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/section.php?"; nocase; http_uri; content:"Module_Text="; nocase; http_uri; content:"ID="; nocase; http_uri; content:"Lang="; nocase; http_uri; content:"Nav="; nocase; http_uri; content:"Module="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1005-exploits/724cms459-lfi.txt; classtype:web-application-attack; sid:2011828; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)"; flow:established,to_server; content:"GET"; http_method; content:"/classes/flash_mp3_player/extras/external_feeds/getfeed.php?"; nocase; http_uri; content:"file="; http_uri; nocase; content:"../"; depth:200; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011829; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)"; flow:established,to_server; content:"GET"; http_method; content:"/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php?"; nocase; http_uri; content:"file="; http_uri; nocase; content:"../"; depth:200; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011830; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/admin.lib.inc.php?"; nocase; http_uri; content:"site_path="; http_uri; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/1010-exploits/cmsboard-rfi.txt; classtype:web-application-attack; sid:2011831; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; http_uri; nocase; content:"smilieid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011832; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011833; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011834; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011835; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admincp.php?"; nocase; http_uri; content:"section=smilies"; nocase; http_uri; content:"action=edit"; nocase; http_uri; content:"smilieid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011836; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?"; nocase; http_uri; content:"mosConfig_live_site="; http_uri; nocase; pcre:"/mosConfig_live_site=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,19198; reference:cve,CVE-2006-3930; classtype:web-application-attack; sid:2011837; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011838; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; content:"album_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011839; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011840; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011841; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; http_uri; content:"album_user_id="; nocase; http_uri; content:"album_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011842; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/baconmap/admin/updatelist.php?"; nocase; http_uri; content:"filepath="; http_uri; nocase; content:"../"; depth:200; reference:url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt; classtype:web-application-attack; sid:2011843; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/com_rwcards/rwcards.advancedate.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt; classtype:web-application-attack; sid:2011844; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/html/11-login.asp?"; nocase; http_uri; content:"intPassedLocationID="; nocase; http_uri; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,43865; classtype:web-application-attack; sid:2011845; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"uniqcode=KPI"; nocase; http_uri; content:"menu_no_top=performance"; nocase; http_uri; content:"uri="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15232; classtype:web-application-attack; sid:2011846; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/real_estate/index.php?"; nocase; http_uri; content:"option=com_jomestate"; nocase; http_uri; content:"task="; nocase; http_uri; pcre:"/task=\s*(ftps?|https?|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/12835; classtype:web-application-attack; sid:2011847; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; content:".php?ver="; http_uri; content:"&cver="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/U"; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp file download"; flow:established,to_server; content:"/cfg/"; http_uri; depth:5; content:".plug"; http_uri; classtype:trojan-activity; sid:2011850; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Carberp CnC Reply no tasks"; flow:established,from_server; file_data; content:"no tasks"; depth:8; classtype:trojan-activity; sid:2011851; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt"; flow:to_server,established; content:"/news/search.php3?"; nocase; http_uri; content:"bn="; nocase; http_uri; pcre:"/bn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011852; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734; classtype:trojan-activity; sid:2011856; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye C&C Check-in URI"; flow:established,to_server; content:"guid="; http_uri; content:"ver="; http_uri; content:"stat="; http_uri; fast_pattern; content:"ie="; http_uri; content:"os="; http_uri; pcre:"/(\?|&)guid=[^!&]+?\!/U"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:trojan-activity; sid:2011857; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting"; flow:established,to_server; content:"/BPELConsole/default/processLog.jsp"; nocase; depth:50; content:"processName="; nocase; within:100; pcre:"/processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,43954; reference:cve,2010-3581; classtype:attempted-admin; sid:2011860; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab CnC URL Detected"; flow:established,to_server; content:"GET"; http_method; content:"controller.php"; nocase; http_uri; content:"action=bot"; nocase; http_uri; content:"entity_list="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"guid="; http_uri; nocase; reference:url,blog.fireeye.com/.a/6a00d835018afd53ef013488839529970c-pi; classtype:trojan-activity; sid:2011861; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; classtype:bad-unknown; sid:2011866; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; classtype:bad-unknown; sid:2011868; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Gbot)"; flow:established,to_server; content:"User-Agent|3a| gbot"; http_header; classtype:trojan-activity; sid:2011872; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; content:"editmenu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011875; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011876; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011877; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011878; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; fast_pattern; content:"editmenu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011879; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/bazar/picturelib.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; pcre:"/cat=\s*(ftps?|https?|php)\x3a\//Ui"; reference:cve,CVE-2010-2315; reference:url,exploit-db.com/exploits/12855/; classtype:web-application-attack; sid:2011880; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"owa_action="; nocase; http_uri; fast_pattern; content:"../"; depth:200; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011882; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"owa_do="; http_uri; nocase; fast_pattern; content:"../"; depth:200; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011883; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/loadplugin.php?"; nocase; http_uri; content:"load="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; classtype:web-application-attack; sid:2011884; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"site=static"; nocase; http_uri; fast_pattern; content:"staticID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15152/; classtype:web-application-attack; sid:2011886; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Medusa User-Agent"; flow: established,to_server; content:"User-Agent|3A| Teh Forest Lobster"; fast_pattern:10,20; nocase; http_header; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.foofus.net/~jmk/medusa/medusa.html; classtype:attempted-recon; sid:2011887; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; urilen:16<>402; content:"GET"; nocase; http_method; content:"Accept-Language|3a| "; http_header; depth:17; content:!"Accept|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE"; fast_pattern:23,18; http_header; content:"Host|3a| "; distance:0; http_header; content:"|3a| no-cache"; distance:0; http_header; pcre:"/^\/[a-z0-9+\/=]{16,400}$/Ui"; classtype:trojan-activity; sid:2011894; rev:18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS exploit kit x/load/svchost.exe"; flow:established,to_server; content:"GET"; http_method; content:"load/svchost.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011906; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; fast_pattern:only; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:4;) alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Fake AV Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0)|0d 0a|"; http_header; content:"data="; fast_pattern; http_client_body; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; classtype:trojan-activity; sid:2011912; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DirBuster Scan in Progress"; flow:established,to_server; content:"/thereIsNoWayThat-You-CanBeThere"; nocase; http_uri; threshold: type limit, track by_src,count 1, seconds 60; reference:url,www.owasp.org/index.php/Category%3aOWASP_DirBuster_Project; classtype:attempted-recon; sid:2011914; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DotDotPwn User-Agent"; flow:established,to_server; content:"User-Agent|3A| DotDotPwn"; nocase; http_header; threshold:type limit, track by_src,count 1, seconds 60; reference:url,dotdotpwn.sectester.net; classtype:attempted-recon; sid:2011915; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; file_data; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon"; flow:established,to_client; content:".hdd_icon"; content:!"nmap.org"; content:!"seclists.org"; classtype:bad-unknown; sid:2011921; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; file_data; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue AV Downloader concat URI"; flow:established,to_server; content:".php?id="; http_uri; content:"x="; http_uri; content:"os="; http_uri; content:"n="; http_uri; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/U"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"mailform_send="; nocase; http_uri; content:"confirm_value="; nocase; http_uri; content:"mailform_1="; nocase; pcre:"/mailform_1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt; classtype:web-application-attack; sid:2011927; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/thumbnailformpost.inc.php?"; nocase; http_uri; content:"adminlangfile="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15345/; classtype:web-application-attack; sid:2011928; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_banners/banners.class.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt; classtype:web-application-attack; sid:2011929; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011930; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011931; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011932; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011933; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/site_info.php?"; nocase; http_uri; content:"siid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011934; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/1011-exploits/joomlaxplorer-rfi.txt; classtype:web-application-attack; sid:2011935; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/classes/BxDolGzip.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/42108; reference:url,exploit-db.com/exploits/15400/; classtype:web-application-attack; sid:2011936; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:trojan-activity; sid:2011939; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt"; flow:established,to_server; content:"/exec_raw.php"; http_uri; fast_pattern; nocase; content:"cmd="; http_uri; nocase; reference:bid,44974; classtype:web-application-attack; sid:2011940; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/module.php?"; nocase; http_uri; content:"module=osTicket"; nocase; http_uri; content:"file="; http_uri; nocase; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt; classtype:web-application-attack; sid:2011941; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php?"; nocase; http_uri; content:"gid="; http_uri; nocase; pcre:"/gid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42195; classtype:web-application-attack; sid:2011942; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011943; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011944; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011945; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011946; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/filemgmt/singlefile.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011947; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/awcm/includes/window_top.php?"; nocase; http_uri; content:"theme_file="; nocase; http_uri; pcre:"/theme_file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011948; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/awcm/control/common.php?"; nocase; http_uri; content:"lang_file="; http_uri; nocase; pcre:"/lang_file=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011949; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/awcm/header.php?"; nocase; http_uri; content:"theme_file="; nocase; http_uri; pcre:"/theme_file=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011950; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious bot.exe Request"; flow:established,to_server; content:"GET"; http_method; content:"/bot.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=19eylulmusikicemiyeti.com; classtype:trojan-activity; sid:2011967; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup C2 Post-infection Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/html/license_"; http_uri; nocase; pcre:"/\/html\/license_[0-9A-F]{550,}\.html/Ui"; classtype:trojan-activity; sid:2011969; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Metasploit WMAP GET len 0 and type"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Content-Type|3A| text/plain|0d 0a|Content-Length|3A| 0|0d 0a|"; http_header; fast_pattern:25,20; threshold: type limit, track by_src,count 1,seconds 60; classtype:attempted-recon; sid:2011974; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN RatProxy in-use"; flow:established,to_server; content:"X-Ratproxy-Loop|3A| "; http_header; fast_pattern:only; threshold: type limit, track by_src,count 1, seconds 60; classtype:attempted-recon; sid:2011975; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"ET SCADA RealWin SCADA System Buffer Overflow"; flow:established,to_server; content:"|64 12 54 6a|"; depth:4; content:"|00 00 00 f4 1f 00 00|"; distance:1; within:7; isdataat:220; content:!"|0a|"; distance:0; pcre:"/\x64\x12\x54\x6a[\x20\x10\x02]\x00\x00\x00\xf4\x1f\x00\x00/"; reference:url,www.exploit-db.com/exploits/15337/; classtype:attempted-dos; sid:2011976; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious flash_player.exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/flash_player.exe"; http_uri; reference:url,www.malwareurl.com/listing.php?domain=newpornmov.info; classtype:bad-unknown; sid:2011982; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Softbiz Article Directory Script sbiz_id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/server/article_details.php?"; nocase; http_uri; content:"sbiz_id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; http_uri; nocase; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/14910/; classtype:web-application-attack; sid:2011987; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious executable download adobe-flash.v"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adobe-flash.v"; nocase; http_uri; pcre:"/adobe-flash\.v\.\d{5}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com; classtype:bad-unknown; sid:2011989; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; http_header; classtype:trojan-activity; sid:2011991; rev:2;) alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Darkness DDoS Bot Checkin"; flow:established,to_server; content:".php?uid="; nocase; http_uri; content:"&ver="; distance:0; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(&traff=\d+)?$/U"; content:"User-Agent|3a 20|darkness"; http_header; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:url,ef.kaffenews.com/?p=833; reference:url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68; reference:url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440; reference:url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524; reference:url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f; classtype:trojan-activity; sid:2011996; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"|0d 0a|Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ASKTOOLBAR.DLL Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/toolbarv/askBarCfg?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=3f6413475b1466964498c8450de4062f; classtype:trojan-activity; sid:2012000; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012001; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012002; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012003; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012004; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cart.php?"; nocase; http_uri; content:"m=features"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012005; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt"; flow:to_server,established; content:"GET"; http_method; content:"/Base/example_1.php?"; nocase; http_uri; content:"GLOBALS[MM_ROOT_DIRECTORY]="; http_uri; nocase; pcre:"/GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15441/; classtype:web-application-attack; sid:2012006; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; http_uri; content:"skin_file="; http_uri; nocase; pcre:"/skin_file=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012007; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; http_uri; content:"skin_file="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012008; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/feedlist/handler_image.php?"; nocase; http_uri; content:"i="; nocase; http_uri; pcre:"/i\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42197/; reference:url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56; classtype:web-application-attack; sid:2012009; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/initsystem.php?"; nocase; http_uri; content:"loader_file="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/42101/; classtype:web-application-attack; sid:2012010; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/fetchmailprefs.php?"; nocase; http_uri; content:"actionID=fetchmail_prefs_save"; nocase; http_uri; content:"fm_driver=imap"; nocase; http_uri; content:"fm_id="; http_uri; nocase; pcre:"/fm_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt; classtype:web-application-attack; sid:2012011; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/api/download_launch.php?"; nocase; http_uri; content:"filename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/13966/; classtype:web-application-attack; sid:2012012; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/components/com_smf/smf.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt; classtype:web-application-attack; sid:2012013; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jimtawl"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"task="; http_uri; nocase; content:"../"; depth:200; reference:url,expbase.com/WebApps/13388.html; reference:url,secunia.com/advisories/42324/; classtype:web-application-attack; sid:2012014; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/viewver.php?"; http_uri; nocase; content:"doc_root="; http_uri; nocase; pcre:"/doc_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,expbase.com/WebApps/13387.html; reference:url,xforce.iss.net/xforce/xfdb/63343; classtype:web-application-attack; sid:2012015; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012016; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012017; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012018; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012019; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"view=catalog"; nocase; http_uri; content:"item_type=M"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012020; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"action=gallery.list"; nocase; http_uri; content:"id_gallery="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/15595/; reference:url,secunia.com/advisories/42334/; classtype:web-application-attack; sid:2012021; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_cbe"; nocase; http_uri; content:"task=userProfile"; nocase; http_uri; content:"user="; nocase; http_uri; content:"ajaxdirekt="; nocase; http_uri; content:"tabname="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15222/; classtype:web-application-attack; sid:2012022; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/Forms/home_1?"; nocase; http_uri; content:"HomeCurrent_Date="; nocase; http_uri; pcre:"/HomeCurrent_Date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42344/; reference:url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html; classtype:web-application-attack; sid:2012023; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/gbookmx/gbook.php?"; nocase; http_uri; content:"newlangsel="; nocase; http_uri; pcre:"/newlangsel=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/10986/; classtype:web-application-attack; sid:2012024; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?"; nocase; http_uri; content:"filesec=sitemap"; nocase; http_uri; content:"filetype=text"; nocase; http_uri; content:"file="; nocase; http_uri; content:"..//"; depth:200; reference:url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt; classtype:web-application-attack; sid:2012025; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012026; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012027; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012028; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012029; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/takefreestart.php?"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"tid2="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012030; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/esqueletos/skel_null.php?"; nocase; uricontent:"ABTPV_BLOQUE_CENTRAL="; nocase; pcre:"/ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012031; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/esqueletos/skel_null.php?"; nocase; http_uri; content:"ABTPV_BLOQUE_CENTRAL="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012032; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/login.php?"; nocase; http_uri; content:"default_login_language="; http_uri; nocase; content:"../"; depth:200; reference:url,secunia.com/advisories/39144/; reference:url,1337db.com/exploits/11446; classtype:web-application-attack; sid:2012033; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012034; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012035; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012036; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012037; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod.php?"; nocase; http_uri; content:"mod=publisher"; nocase; http_uri; content:"op=printarticle"; nocase; http_uri; content:"artid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012038; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"page=en_Home"; nocase; http_uri; content:"car="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/15135/; classtype:web-application-attack; sid:2012039; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/en/front_content.php?"; nocase; http_uri; content:"idart="; nocase; http_uri; pcre:"/idart\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42440/; classtype:web-application-attack; sid:2012040; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:4;) alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; distance:0; within:50; content:!"|00|"; distance:0; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|IconIndex|22|"; distance:0; pcre:"/]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|Text|22|"; distance:0; pcre:"/]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3;) alert tcp any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; distance:0; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; distance:0; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write % Encoding"; flow:established,to_client; content:"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012059; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding"; flow:established,to_client; content:"%u64%u6f%u63%u75%u6d%u65%u6e%u74%u2e%u77%u72%u69%u74%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012060; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding"; flow:established,to_client; content:"%61%72%67%75%6d%65%6e%74%73%2e%63%61%6c%6c%65%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012061; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding"; flow:established,to_client; content:"%u61%u72%u67%u75%u6d%u65%u6e%u74%u73%u2e%u63%u61%u6c%u6c%u65%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012062; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; file_data; content:"PDF-"; within:4; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012065; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012066; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/auktion/auktion_text.php?"; nocase; http_uri; content:"id_auk="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12005/; classtype:web-application-attack; sid:2012068; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upgrade_unattended.php?"; nocase; http_uri; content:"db_type="; nocase; http_uri; content:"..%2f"; depth:200; reference:url,exploit-db.com/exploits/15736/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012069; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/upgrade_unattended.php?"; nocase; http_uri; content:"db_type="; nocase; http_uri; pcre:"/db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/15735/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012070; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/session.cgi?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"app=urchin.cgi"; nocase; http_uri; content:"action=prop"; nocase; http_uri; content:"rid="; nocase; http_uri; content:"n="; nocase; http_uri; content:"vid="; nocase; http_uri; content:"dtc="; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"gfid="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15737/; classtype:web-application-attack; sid:2012071; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?"; nocase; http_uri; content:"v1="; nocase; http_uri; pcre:"/v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/42544; classtype:web-application-attack; sid:2012072; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012073; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/indexlight.php?"; nocase; http_uri; content:"page=export"; nocase; http_uri; content:"type=single"; nocase; http_uri; content:"format=RIS"; nocase; http_uri; content:"ID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012074; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Goatzapszu Header from unknown Scanning Tool"; flow:established,to_server; content:"Goatzapszu|3a|"; nocase; http_header; classtype:attempted-recon; sid:2012077; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Outbound"; flow:established; content:"|16 03 00|"; content:"|00 5c|"; distance:0; content:"|c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012078; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2"; flow:established; content:"|16 03 00|"; content:"|00 26|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012079; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3"; flow:established; content:"|16 03 00|"; content:"|00 34|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012080; rev:4;) alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set"; flow:to_client,established; content:"NtDllImageBase|22|"; nocase; content:"getModuleInfos|28|"; distance:0; content:"|27|ntdll.dll|27|"; nocase; within:50; flowbits:set,NtDll.ImageBase.Module.Called; flowbits:noalert; classtype:not-suspicious; sid:2012085; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:to_server,established; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; distance:0; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; http_uri; nocase; content:"option=com_billyportfolio"; nocase; http_uri; content:"view=billyportfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; pcre:"/and.*if\(/Ui"; reference:url,exploit-db.com/exploits/15721/; classtype:web-application-attack; sid:2012099; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:" $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; distance:0; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; distance:0; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; distance:0; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AdVantage)"; flow:established,to_server; content:"User-Agent|3A| AdVantage"; http_header; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012104; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding"; flow:established,to_client; content:"%u646f%u6375%u6d65%u6e74%u2e77%u7269%u7465"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012107; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding"; flow:established,to_client; content:"%u6368%u6172%u436f%u6465%u4174"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012108; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16 Encoding"; flow:established,to_client; content:"%u5374%u7269%u6e67%u2e66%u726f%u6d43%u6861%u7243%u6f64%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012109; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90"; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-1"; flow:established,to_server; content:"GET"; http_method; content:"/tzl/tzl.php?"; nocase; http_uri; content:"hl="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9; reference:url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc; classtype:trojan-activity; sid:2012113; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9; reference:url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc; classtype:trojan-activity; sid:2012114; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; content:"/Info.live.htm"; nocase; http_uri; flowbits:set,et.ddwrt.infodis; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:3;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/deco/blanc/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012122; classtype:web-application-attack; sid:2012122; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/deco/blanc/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012123; classtype:web-application-attack; sid:2012123; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/blanc/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012125; classtype:web-application-attack; sid:2012125; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/default/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012126; classtype:web-application-attack; sid:2012126; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/default/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012127; classtype:web-application-attack; sid:2012127; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/gold/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012128; classtype:web-application-attack; sid:2012128; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/gold/bas.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012129; classtype:web-application-attack; sid:2012129; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/pingsvr.php?"; nocase; http_uri; content:"mybloggie_root_path="; nocase; http_uri; pcre:"/mybloggie_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt; reference:url,doc.emergingthreats.net/2012130; classtype:web-application-attack; sid:2012130; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_seyret"; nocase; http_uri; content:"task=videodirectlink"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/14172/; reference:url,doc.emergingthreats.net/2012131; classtype:web-application-attack; sid:2012131; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"|0d 0a|ORGANIZER"; content:"mailto|3a|"; nocase; within:50; isdataat:2000,relative; content:!"|0a|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:12;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Storm/Waledac 3.0 Checkin 2"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"Host|3a| "; content:"Content-Length|3a| "; content:".htm HTTP/1.1"; content:"|01 02 01 01|"; fast_pattern; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:trojan-activity; sid:2012139; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:4;) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active"; ip_proto:41; threshold:type both,track by_dst, count 1, seconds 60; reference:url,en.wikipedia.org/wiki/6in4; classtype:policy-violation; sid:2012141; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set"; flow:established,to_client; flowbits:set,ET.AVI.RIFF.Chunk; content:"|52 49 46 46|"; content:"|41 56 49 20|"; distance:4; within:4; flowbits:noalert; classtype:not-suspicious; sid:2012142; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; distance:0; within:20; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; distance:0; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; distance:0; within:20; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI"; flow:established,to_server; content:"2.2250738585072011e-308"; http_uri; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012150; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound"; flow:established,to_server; content:"2.2250738585072011e-308"; http_client_body; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012151; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set"; flow:established,to_client; flowbits:set,DXF.Ext.Access; content:"|20 20 30|"; content:"|0A 53 45 43 54 49 4F 4E|"; within:10; content:"|20 20 32|"; within:5; content:"|48 45 41 44 45 52|"; distance:0; content:"|0a|"; within:2; flowbits:noalert; classtype:not-suspicious; sid:2012152; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3;) alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WBEM.SingleViewCtrl.1"; nocase; distance:0; pcre:"/WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; classtype:attempted-user; sid:2012157; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012159; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012160; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012161; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012162; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/informacion_general.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012163; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/accept-signups/accept-signups_submit.php?"; nocase; http_uri; content:"email="; nocase; http_uri; pcre:"/email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt; classtype:web-application-attack; sid:2012164; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/blocks/file/controller.php?"; nocase; http_uri; content:"DIR_FILES_BLOCK_TYPES_CORE="; nocase; http_uri; pcre:"/DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,45669; classtype:web-application-attack; sid:2012165; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/com_xmovie/helpers/img.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt; classtype:web-application-attack; sid:2012166; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/express_edit/editor.aspx?"; nocase; http_uri; content:"index="; nocase; http_uri; content:"AND"; nocase; http_uri; content:"IF"; nocase; http_uri; pcre:"/AND.*IF\(/Ui"; reference:url,exploit-db.com/exploits/15124/; classtype:web-application-attack; sid:2012167; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tiki-jsplugin.php?"; nocase; http_uri; content:"plugin="; nocase; http_uri; content:"language="; nocase; http_uri; content:"../"; depth:200; reference:url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46; classtype:web-application-attack; sid:2012168; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?f="; fast_pattern; http_uri; content:"&e="; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/^[^?#]+?\.php\?f=\w+&e=\d+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012169; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Web Downloader Install Detected"; flow: established,to_server; content: "User-Agent|3a| Blizzard Web Client"; nocase; classtype:policy-violation; sid:2012170; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:trojan-activity; sid:2012172; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; http_header; file_data; content:"|3c|svg xmlns="; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; distance:0; content:"transform"; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Malware Domain twothousands.cm Likely Infection"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|twothousands|02|cm"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012176; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp CnC request POST /set/task.html"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/set/task.html"; http_uri; depth:14; content:"id=dvlsl"; http_client_body; classtype:trojan-activity; sid:2012178; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; fast_pattern:only; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012181; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/media.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/xmlrpc/server.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/libs/PLUGINADMIN.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012185; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/profile/user.php?"; nocase; http_uri; content:"aXconf[default_language]="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15938/; classtype:web-application-attack; sid:2012186; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/bizdir/bizdir.cgi?"; nocase; http_uri; content:"f_srch="; nocase; http_uri; pcre:"/f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt; classtype:web-application-attack; sid:2012187; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/auktion.php?"; nocase; uricontent:"id_auk="; nocase; uricontent:"ASCII"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12026/; classtype:web-application-attack; sid:2012189; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/English_manual_version_2.php?"; nocase; http_uri; content:"client="; nocase; http_uri; pcre:"/client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012190; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/zimplit.php?"; nocase; http_uri; content:"action=load"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012191; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt"; flow:established,to_client; file_data; content:"0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; nocase; distance:0; content:"DelFile"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9/si"; reference:url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt; classtype:attempted-user; sid:2012192; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; content:"pjl_ready_message="; http_uri; nocase; fast_pattern:only; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; distance:0; content:"RecordClip"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5/si"; reference:bid,44443; reference:cve,2010-3749; classtype:attempted-user; sid:2012194; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; fast_pattern; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; fast_pattern; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.ini"; flow:established,to_server; content:"/setting.ini"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fcb828c0b735ea8d560a45b3bdd29b94; reference:url,www.threatexpert.com/report.aspx?md5=36d9a446d6311f9a4c19865e2b62f15d; classtype:trojan-activity; sid:2012198; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.xls"; flow:established,to_server; content:"/setting.xls"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012199; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Worm W32.Svich or Other Infection Request for setting.doc"; flow:established,to_server; content:"/setting.doc"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012200; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql"; flow:established,to_server; content:"/setting.nql"; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=a70aad8f27957702febfa162556dc5b5; classtype:trojan-activity; sid:2012201; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)"; content:"From|3A 20 22|sipsscuser|22|"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; sid:2012204; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; distance:0; content:"GetDriverSettings2"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-256/; reference:url,www.vupen.com/english/advisories/2010/3023; reference:bid,44966; reference:cve,2010-4321; classtype:attempted-user; sid:2012206; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; http_header; content:"|22|pack.exe|22|"; http_header; classtype:trojan-activity; sid:2012208; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012211; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012212; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012213; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012214; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/program/moduler_banner_aabn.php?"; nocase; http_uri; content:"id="; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012215; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt"; flow:established,to_server; content:"/tagcloud.swf?"; nocase; http_uri; content:"mode=tags"; nocase; http_uri; content:"tagcloud="; nocase; http_uri; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012216; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/op/op.Login.php?"; http_uri; nocase; content:"login="; nocase; http_uri; content:"sesstheme="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,37828; classtype:web-application-attack; sid:2012217; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mainx_a.php?"; nocase; http_uri; content:"x="; nocase; http_uri; content:"xid="; nocase; http_uri; content:"bid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; http_uri; nocase; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/15999/; classtype:web-application-attack; sid:2012219; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt"; flow:established,to_server; content:"/tagcloud-ru.swf"; nocase; http_uri; content:"mode=tags"; nocase; http_uri; content:"tagcloud="; nocase; http_uri; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012220; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Malware Related msndown"; flow:established,to_server; content:"User-Agent|3a| msndown|0d 0a|"; http_header; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; classtype:trojan-activity; sid:2012221; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winsoft.E Checkin 1"; flow:established,to_server; content:".asp?prj="; http_uri; content:"&pid="; http_uri; content:"&logdata="; http_uri; content:"winsoft"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:trojan-activity; sid:2012222; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winsoft.E Checkin 2"; flow:established,to_server; content:".asp?prj="; http_uri; content:"&pid="; http_uri; content:"&mac="; http_uri; content:"winsoft"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:trojan-activity; sid:2012223; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winsoft.E Checkin 3"; flow:established,to_server; content:"autoidcnt.asp?mer_seq="; http_uri; content:"&realid="; http_uri; content:"&mac="; http_uri; content:"winsoft"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:trojan-activity; sid:2012224; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; http_header; classtype:trojan-activity; sid:2012227; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; content:"/proc/self/environ"; http_uri; nocase; classtype:web-application-attack; sid:2012230; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt"; flow:established,to_client; file_data; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; distance:0; content:"ImportBodyText"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:cve,2010-3595; classtype:attempted-user; sid:2012231; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Deletion Attempt"; flow:established,to_client; file_data; content:"F647CBE5-3C01-402A-B3F0-502A77054A24"; nocase; distance:0; content:"DownloadSingleMessageToFile"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F647CBE5-3C01-402A-B3F0-502A77054A24/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012232; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite Attempt"; flow:established,to_client; file_data; content:"4932CEF4-2CAA-11D2-A165-0060081C43D9"; nocase; distance:0; content:"SaveLayoutChanges"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4932CEF4-2CAA-11D2-A165-0060081C43D9/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012233; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:1;) alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Init"; flow:established,from_server; dsize:2; content:"x0"; depth:2; flowbits:noalert; flowbits:set,et.x0proto; classtype:trojan-activity; sid:2012236; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 900:11000 (msg:"ET TROJAN x0Proto Client Info"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:<128; content:"x0|0c|"; depth:3; classtype:trojan-activity; sid:2012237; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 900:11000 (msg:"ET TROJAN x0Proto Pong"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:9; content:"x53|0c|"; depth:4; content:"|0c|0|0c|1"; distance:1; within:4; classtype:trojan-activity; sid:2012238; rev:1;) alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Ping"; flow:established,from_server; flowbits:isset,et.x0proto; dsize:7; content:"x53|0c|1|0c|0"; depth:7; classtype:trojan-activity; sid:2012239; rev:1;) alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Download Cmd"; flow:established,from_server; flowbits:isset,et.x0proto; content:"x74|0c|1|0c|1x"; depth:8; classtype:trojan-activity; sid:2012240; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible % Encoded Iframe Tag"; flow:established,to_client; content:"%69%66%72%61%6d%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012241; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag"; flow:established,to_client; content:"%u69%u66%u72%u61%u6d%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012242; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag"; flow:established,to_client; content:"%u6966%u7261%u6d65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012243; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible # Encoded Iframe Tag"; flow:established,to_client; content:"#69#66#72#61#6d#65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012244; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write # Encoding"; flow:established,to_client; content:"#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012245; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Goolbot.E Checkin UA Detected iamx"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| iamx/"; http_header; classtype:trojan-activity; sid:2012246; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P BTWebClient UA uTorrent in use"; flow:established,to_server; content:"User-Agent|3a| BTWebClient"; http_header; classtype:policy-violation; sid:2012247; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; nocase; http_header; classtype:trojan-activity; sid:2012249; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Our_Agent)"; flow:established,to_server; content:" Our_Agent"; http_header; classtype:trojan-activity; sid:2012278; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; content:"backupdata"; nocase; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:attempted-recon; sid:2012286; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; content:"backup_data"; nocase; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:attempted-recon; sid:2012287; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=664a5147e6258f10893c3fd375f16ce4; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; classtype:trojan-activity; sid:2012289; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|User-Agent|3a| REKOM"; nocase; http_header; classtype:trojan-activity; sid:2012295; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2012298; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; content:"/favicon.ico?0="; http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; http_uri; content:"&7="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; classtype:trojan-activity; sid:2012299; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CnC Beacon Outbound"; flow:established,to_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:trojan-activity; sid:2012303; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon CnC Beacon Inbound"; flow:established,from_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012304; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon CnC Traffic Inbound 2"; flow:established,from_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012305; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CnC Traffic Outbound 2"; flow:established,to_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012306; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012307; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; fast_pattern:only; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012308; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Night Dragon Server Auth to Bot"; flow:established,from_server; dsize:29; content:"|00 00|password|00 00 00|"; offset:3; depth:13; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012309; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Si25f_302 User-Agent"; flow:established,to_server; content:"User-Agent|3a| Si25"; http_header; classtype:trojan-activity; sid:2012310; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan with /? and Indy Library User-Agent"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?"; depth:2; http_uri; content:"Indy Library)"; http_header; fast_pattern; content:"Accept-Encoding|3a| identity|0D 0A|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!".ensignsoftware.com"; http_header; classtype:trojan-activity; sid:2012312; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Moxilla"; flow:established,to_server; content:"User-Agent|3a| Moxilla"; http_header; classtype:trojan-activity; sid:2012313; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit TDSS/Alureon Checkin 2"; flow:established,to_server; content:"/dx.php?i="; http_uri; content:"&x64="; http_uri; content:"os="; http_uri; content:"&a="; http_uri; content:"&f="; http_uri; pcre:"/dx\.php\?i=[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}&a=/Ui"; reference:url,contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html; classtype:trojan-activity; sid:2012314; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Fake Opera 8.11 UA related to Trojan Activity"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|"; http_header; content:"|0d 0a|User-Agent|3a 20|opera/8.11|0d 0a|"; http_header; classtype:trojan-activity; sid:2012315; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; http_header; content:"etup.exe"; nocase; http_header; classtype:trojan-activity; sid:2012318; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD"; flow:established,to_server; content:" (compatible|3b| MSIE 1.0|3b| Windows NT|3b| "; http_header; fast_pattern:16,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hl="; distance:0; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; content:"200"; http_stat_code; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .cn Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:misc-activity; sid:2012327; rev:4;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:misc-activity; sid:2012328; rev:6;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN IRS Inbound SPAM variant 3"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Individual_Income_Tax_Rtrn_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012329; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; content:"|0d 0a|Host|3a| idisk.mac.com|0d 0a|"; http_header; nocase; content:"User-Agent|3a| DotMacKit-like, File-Sync-Direct"; http_header; nocase; classtype:policy-violation; sid:2012331; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/customer_ftp.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/16051/; classtype:web-application-attack; sid:2012334; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"page=viewbus"; nocase; http_uri; content:"bus="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/16034/; classtype:web-application-attack; sid:2012335; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cultbooking.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012336; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/cultbooking.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012337; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012338; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012339; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012340; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012341; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/infusions/teams_structure/team.php?"; nocase; http_uri; content:"team_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012342; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/active_auctions.php?"; nocase; http_uri; content:"lan="; nocase; http_uri; content:"../"; depth:200; reference:url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63; classtype:web-application-attack; sid:2012343; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/lib/addressbook.php?"; nocase; http_uri; content:"basedir="; nocase; http_uri; pcre:"/basedir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/12369/; classtype:web-application-attack; sid:2012344; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_frontenduseraccess"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43137/; reference:url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909; classtype:web-application-attack; sid:2012345; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012346; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012347; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012348; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012349; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"lvl=coll_see"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012350; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt"; flow:established,to_server; content:"/SearchCenter/Pages/AllResults.aspx?"; nocase; http_uri; content:"k="; nocase; http_uri; pcre:"/k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98029/enp-xss.txt; classtype:web-application-attack; sid:2012351; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/browsecats.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/16062/; classtype:web-application-attack; sid:2012352; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/audio/getid3/demos/demo.browse.php?"; nocase; http_uri; content:"showfile="; nocase; http_uri; pcre:"/showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt; classtype:web-application-attack; sid:2012353; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/gradebook/open_document.php?"; nocase; http_uri; content:"file="; http_uri; content:"../"; depth:200; reference:bugtraq,46173; classtype:web-application-attack; sid:2012354; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?"; nocase; http_uri; content:"PHPCOVERAGE_HOME"; nocase; http_uri; pcre:"/PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt; classtype:web-application-attack; sid:2012355; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/js/modalbox/tests/functional/_ajax_method_get.php?"; nocase; http_uri; content:"param="; nocase; http_uri; pcre:"/param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt; classtype:web-application-attack; sid:2012356; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_xgallery/helpers/img.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt; classtype:web-application-attack; sid:2012357; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/flash_upload.php?"; nocase; http_uri; content:"modelid="; nocase; http_uri; content:"ORDER"; nocase; http_uri; content:"BY"; nocase; http_uri; pcre:"/ORDER.+BY/Ui"; reference:bugtraq,45933; classtype:web-application-attack; sid:2012358; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012361; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012362; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/notaevento.php?"; nocase; http_uri; content:"id_novedad="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012363; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012365; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012366; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012367; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012368; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/com_swmenupro/ImageManager/Classes/ImageManager.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt; classtype:web-application-attack; sid:2012369; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/explanation.php?"; nocase; http_uri; content:"explain"; nocase; http_uri; pcre:"/explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012370; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/modules/boonex/custom_rss/post_mod_crss.php?"; nocase; http_uri; content:"relocate"; nocase; http_uri; pcre:"/relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012371; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.cfm?"; nocase; http_uri; content:"actcfug=LibraryView"; nocase; http_uri; content:"LibraryID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/14935/; classtype:web-application-attack; sid:2012372; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/util/barcode.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/98424/horde-lfi.txt; classtype:web-application-attack; sid:2012373; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012374; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012375; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012376; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012377; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/hilfsmittel.php"; nocase; http_uri; content:"action=read"; nocase; http_uri; content:"katid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012378; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/allauctions.php?"; nocase; http_uri; content:"aid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt; classtype:web-application-attack; sid:2012379; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/core/themes.php?"; nocase; http_uri; content:"L_failedopentheme="; nocase; http_uri; pcre:"/L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt; classtype:web-application-attack; sid:2012380; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/itechd.php?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"output="; nocase; http_uri; pcre:"/output=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"retva="; nocase; http_uri; pcre:"/retva=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; content:".php"; http_uri; nocase; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; within:50; classtype:trojan-activity; sid:2012384; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| VCTestClient"; nocase; http_header; classtype:trojan-activity; sid:2012386; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| PrivacyInfoUpdate"; nocase; http_header; classtype:trojan-activity; sid:2012387; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_"; nocase; content:".zip|22|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:trojan-activity; sid:2012389; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Libtorrent User-Agent"; flow:to_server,established; content:"libtorrent"; nocase; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a [^\r\n]+?libtorrent/Hmi"; classtype:trojan-activity; sid:2012390; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:trojan-activity; sid:2012391; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Download Setup_ exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/Setup_\d+\.exe$/Ui"; reference:url,www.malwareurl.com/listing.php?domain=antivirus-live21.com; classtype:trojan-activity; sid:2012392; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; content:"awstats.cgi"; nocase; http_uri; content:"config="; nocase; http_uri; content:"pluginmode=rawlog"; nocase; http_uri; content:"configdir=|5C 5C|"; nocase; http_uri; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf/WebMessage"; nocase; http_uri; content:"OpenView"; nocase; http_uri; content:"messageString="; nocase; http_uri; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf"; nocase; http_uri; content:"unescape"; nocase; fast_pattern; http_uri; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakePAV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/soft-usage/favicon.ico?"; nocase; http_uri; pcre:"/\?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=f5dd61e29eff89a93c591fba7ea14d92; classtype:trojan-activity; sid:2012405; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Cewolf?"; nocase; http_uri; pcre:"/\&(width|height)\=([2-9][0-9][0-9][0-9]*)/Ui"; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html; classtype:web-application-attack; sid:2012406; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/options-runnow-iframe.php?wpabs=/"; nocase; http_uri; content:"%00&"; depth:250; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012407; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/options-view_log-iframe.php?wpabs=/"; nocase; http_uri; content:"%00&logfile=/"; depth:250; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; pcre:"/post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012411; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012412; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012413; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012414; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012415; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012416; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE"; flow:established,to_server; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; http_uri; content:"post_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012417; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1"; flow:established,to_server; content:"/shipping/methods/fedex_v7/label_mgr/js_include.php?"; nocase; http_uri; content:"form="; nocase; http_uri; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012418; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; http_uri; content:"form="; http_uri; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012420; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UNION SELECT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012421; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid INSERT"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012422; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid DELETE"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012423; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid ASCII"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012424; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE"; flow:established,to_server; content:"/dsp_page.cfm?"; nocase; http_uri; content:"pageid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012425; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php?"; nocase; http_uri; content:"config="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012426; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/components/com_xcloner-backupandrestore/cloner.cron.php?"; nocase; http_uri; content:"config="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012427; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; http_uri; content:"task=dologin"; nocase; http_uri; content:"option="; nocase; http_uri; pcre:"/option\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012428; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; http_uri; content:"mosmsg="; nocase; http_uri; pcre:"/mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012429; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/administrator/components/com_xcloner-backupandrestore/index2.php?"; nocase; http_uri; content:"mosmsg="; nocase; http_uri; pcre:"/mosmsg\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012430; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012431; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012432; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012433; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012434; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012435; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE"; flow:established,to_server; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; http_uri; content:"topic="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012436; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/zotpress/zotpress.image.php?"; nocase; http_uri; content:"citation="; nocase; http_uri; pcre:"/citation\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98746/WordPressZotpress2.6-xss.txt; classtype:web-application-attack; sid:2012437; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bhanx.php?"; http_uri; nocase; content:"adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&p="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de85ae919d48325189bead995e8052e7; reference:url,support.clean-mx.de/clean-mx/viruses.php?ip=210.163.9.69&sort=first desc; classtype:trojan-activity; sid:2012440; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Banload Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avisa.php?"; nocase; http_uri; content:"usuario="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"serial="; nocase; http_uri; content:"versao="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=43b0ddf87c66418053ee055501193abf; reference:url,scumware.org/report/89.108.68.81; classtype:trojan-activity; sid:2012441; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Eleonore Exploit pack download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/load/load.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=ultranichehost.com; classtype:trojan-activity; sid:2012446; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Win32.Agent.FakeAV.AVG 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=lr&id="; http_uri; content:"&ver="; http_uri; content:"&bit="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012448; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Win32.Agent.FakeAV.AVG 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=vv&i="; http_uri; content:"&id="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012449; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; depth:200; nocase; content:"sim="; depth:200; nocase; content:"tel="; depth:200; nocase; content:"imsi="; depth:200; content:"pid="; depth:200; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; depth:200; nocase; content:"id="; depth:200; nocase; content:"softid="; depth:200; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"request"; depth:200; nocase; content:".php"; depth:200; nocase; content:""; content:""; content:""; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; depth:200; content:"pid="; depth:200; nocase; content:"ver="; depth:200; nocase; content:"area="; depth:200; nocase; content:"insttime="; depth:200; nocase; content:"first="; depth:200; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download 500.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/500.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012456; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download ddos.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ddos.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012457; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download desyms.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/desyms.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012458; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download 1691.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/1691.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012459; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download wm.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/wm.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012460; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible JKDDOS download cl.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cl.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012461; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET P2P Ocelot BitTorrent Server in Use"; flow:established,from_server; content:"HTTP/1.1 200 |0d 0a|Server|3a| Ocelot "; depth:30; classtype:policy-violation; sid:2012467; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu SELECT"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012468; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UNION SELECT"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012469; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu INSERT"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012470; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu DELETE"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012471; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu ASCII"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012472; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE"; flow:established,to_server; content:"/public/code/cp_menu_data_file.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012473; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/rp-menu.php?"; nocase; http_uri; content:"_SESSION[sess_user]="; nocase; http_uri; pcre:"/_SESSION\[sess_user\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012474; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/header.php?"; nocase; http_uri; content:"row[titledesc]="; nocase; http_uri; pcre:"/row\[titledesc\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012475; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/folder.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html; reference:url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt; classtype:web-application-attack; sid:2012476; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern:35,20; nocase; http_uri; content:"gall_id="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012478; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012479; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012480; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012481; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012482; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; http_uri; content:"to_p_dict="; nocase; http_uri; pcre:"/to_p_dict\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012483; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; http_uri; content:"to_r_list="; nocase; http_uri; pcre:"/to_r_list\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012484; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf SELECT"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012485; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UNION SELECT"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012486; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf INSERT"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012487; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf DELETE"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012488; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf ASCII"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012489; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE"; flow:established,to_server; content:"/products.php?"; nocase; http_uri; content:"ctf="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012490; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Presto)"; flow:established,to_server; content:"User-Agent|3a| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:7;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; http_header; nocase; classtype:trojan-activity; sid:2012494; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod/vm/controller/AccessController.php?"; nocase; http_uri; content:"global[approot]="; nocase; http_uri; pcre:"/global\[approot\]=\s*(ftps?|https?|php)\x3a\//Ui"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012496; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mod/vm/model/dao.php?"; nocase; http_uri; content:"global[approot]="; http_uri; nocase; pcre:"/global\[approot\]=\s*(ftps?|https?|php)\x3a\//Ui"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012497; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id SELECT"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012498; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012499; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012500; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012501; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:trojan-activity; sid:2012505; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Monkif CnC response in fake JPEG"; flow:established,from_server; file_data; content:"|ff d8 ff e0|"; within:4; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:trojan-activity; sid:2012507; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; content:"PUT|20|"; depth:4; content:"user-agent|3a|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt"; flow:established,to_client; content:"window.open|28|"; nocase; content:"document.createElement|28|"; nocase; distance:0; content:"document.body.appendChild|28|"; nocase; distance:0; content:"close|28|"; nocase; distance:0; content:"document.cloneNode|28|"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/16979/; classtype:attempted-user; sid:2012511; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Hiloti loader installed successfully response"; flow:established,from_server; file_data; content:"a|0D 0A|install OK"; within:13; classtype:trojan-activity; sid:2012512; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti loader installed successfully request"; flow:established,to_server; content:"POST"; http_method; content:"/install.php?affid="; http_uri; depth:19; classtype:trojan-activity; sid:2012513; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti loader requesting payload URL"; flow:established,to_server; content:"/lurl.php?affid="; http_uri; depth:16; classtype:trojan-activity; sid:2012514; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Win32 Banker Trojan CheckIn"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/sys7."; http_uri; fast_pattern; reference:url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY; classtype:trojan-activity; sid:2012521; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|xxx|00|"; fast_pattern; nocase; distance:0; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Virut.BN Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"list.php?c="; within:32; content:"&v="; distance:0; content:"&t="; distance:0; pcre:"/c\x3d[0-9A-F]{100}/i"; reference:url,www.threatexpert.com/report.aspx?md5=199d9ea754f193194e251415a2f6dd46; classtype:trojan-activity; sid:2012533; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.small Generic Checkin"; flow:established,to_server; content:"/install.asp?mac="; http_uri; content:"User-Agent|3a| MyAgent"; http_header; classtype:trojan-activity; sid:2012541; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.gv.vg domain"; flow:established,to_server; content:".gv.vg|0d 0a|"; http_header; classtype:bad-unknown; sid:2012542; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt"; flow:established,to_client; file_data; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; distance:0; content:"cdda|3A|//"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; reference:bid,44450; reference:cve,2010-3747; classtype:attempted-user; sid:2012543; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:5;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:5;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:5;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET WEB_CLIENT Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (VMozilla)"; flow:to_server,established; content:"User-Agent|3a| VMozilla"; http_header; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; classtype:trojan-activity; sid:2012555; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012556; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012557; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012558; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012559; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/imprimir.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012560; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/action.class.php?"; nocase; http_uri; content:"path_om="; http_uri; nocase; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012561; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/architecte.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012562; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/avis.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012563; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/bible.class.php?"; nocase; http_uri; content:"path_om="; http_uri; nocase; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012564; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/obj/blocnote.class.php?"; nocase; http_uri; content:"path_om="; http_uri; nocase; pcre:"/path_om=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012565; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin vbBux vbplaza.php Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/vbplaza.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"name="; nocase; http_uri; content:"and"; http_uri; nocase; content:"substring"; http_uri; nocase; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/8784/; classtype:web-application-attack; sid:2012566; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET";http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012567; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012568; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012569; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012570; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/jquery-mega-menu/skin.php?"; nocase; http_uri; content:"skin="; nocase; http_uri; content:"..%2f"; depth:200; reference:url,exploit-db.com/exploits/16250; classtype:web-application-attack; sid:2012571; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/Cache/Lite/Output.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/16912; classtype:web-application-attack; sid:2012572; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/header.php?"; nocase; http_uri; content:"row[titledesc]="; nocase; http_uri; pcre:"/row\[titledesc\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012573; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/rp-menu.php?"; nocase; http_uri; content:"_SESSION[sess_user]="; nocase; http_uri; pcre:"/_SESSION\[sess_user\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012574; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012575; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012577; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012579; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; http_uri; content:"image="; http_uri; nocase; pcre:"/image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012581; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; nocase; http_uri; content:"appMVCPath="; http_uri; nocase; pcre:"/appMVCPath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012583; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; nocase; http_uri; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012584; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/content/rubric/index.php?"; nocase; http_uri; content:"rubID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012585; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Im Luo"; flow:established,to_server; content:"User-Agent|3A| Im|27|Luo"; http_header; classtype:trojan-activity; sid:2012586; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VirTool-Win32-VBInject.gen-FA Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/alive.php?"; nocase; http_uri; content:"key="; nocase; http_uri; content:"pcuser="; nocase; http_uri; content:"pcname="; nocase; http_uri; content:"hwid="; nocase; http_uri; content:"country="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=85a9f25c9b6614a8ad16dd7f3363a247; classtype:trojan-activity; sid:2012587; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.ce.ms domain"; flow:established,to_server; content:".ce.ms|0d 0a|"; http_header; classtype:bad-unknown; sid:2012593; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012595; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012596; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012597; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012598; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012599; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012600; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; http_uri; content:"image="; nocase; http_uri; pcre:"/image\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012601; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012603; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; http_uri; nocase; content:"appMVCPath="; nocase; http_uri; pcre:"/appMVCPath=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012604; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; http_uri; nocase; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012605; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Sample"; flow:established,to_server; content:"User-Agent|3A| sample"; nocase; http_header; classtype:trojan-activity; sid:2012611; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; content:!".taobao.com|0d 0a|"; http_header; content:!".dict.cn|0d 0a|"; http_header; content:!".avg.com|0d 0a|"; http_header; content:!"SlimBrowser"; http_header; content:!".weather.hao.360.cn"; http_header; classtype:trojan-activity; sid:2012612; rev:13;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:trojan-activity; sid:2012615; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Slugin.A PatchTimeCheck.dat Request"; flow:established,to_server; content:"/PatchTimeCheck.dat"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2012616; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2012617; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Mozilla/3.0"; flow:established,to_server; content:"User-Agent|3A| Mozilla/3.0|0d 0a|"; http_header; fast_pattern:11,14; classtype:trojan-activity; sid:2012619; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.FakeAV.chhq Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|2f|index|2e|php|3f 30 64 34 30 62 30 3d|"; http_uri; fast_pattern; content:"User-Agent|3A| Mozilla|2f|3|2e|0"; http_header; classtype:trojan-activity; sid:2012620; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Host|3a 20|"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; distance:0; content:")|0d 0a|Content-Length"; distance:0; content:"|0d 0a 0d 0a|data="; fast_pattern; classtype:trojan-activity; sid:2012627; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Optimum Installer User-Agent IE6 on Windows XP"; flow:established,to_server; content:"User-Agent|3a| IE6 on Windows XP"; fast_pattern:12,10; http_header; classtype:trojan-activity; sid:2012629; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8081] (msg:"ET TROJAN Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; content:"a=Windows"; nocase; content:"&b="; content:"&c="; content:"&f="; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/i"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2012631; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; distance:0; content:"Exec"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5.+(Exec|ExecLow|ShellExec)/smi"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012636; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; distance:0; content:"CreateVistaTaskLow"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012637; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; distance:0; content:"ShellExec"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012638; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; distance:0; content:"CreateShortcut"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012639; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; file_data; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; distance:0; content:"CopyDocument"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012640; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt"; flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launchjnlp"; fast_pattern; nocase; distance:0; content:"docbase"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:257,relative; content:!"|0A|"; within:257; reference:bid,44023; reference:cve,2010-3552; classtype:attempted-user; sid:2012641; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|mozilla/2.0"; http_header; fast_pattern:11,12; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:trojan-activity; sid:2012642; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection "; flow:established,to_server; content:"GET|20|/|20|HTTP/1."; content:"|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|www.google.com|0d 0a|Pragma|3a 20|no-cache|0d 0a 0d 0a|"; within:65; classtype:trojan-activity; sid:2012645; rev:4;) alert tcp [108.160.162.0/24,108.160.165.0/24,108.160.166.0/24] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|*.dropbox.com"; distance:1; within:14; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:4;) alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; content:!"101.ru"; http_header; content:!"9366858.ru"; http_header; classtype:misc-activity; sid:2012649; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012651; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012652; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012653; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php?"; nocase; http_uri; content:"callback="; nocase; http_uri; pcre:"/callback\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012656; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php?"; nocase; http_uri; content:"sleep="; nocase; http_uri; content:"file="; nocase; content:"..%2f"; depth:200; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012657; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt"; flow:established,to_server; content:"/templates/recruitment/jobVacancy.php?"; nocase; http_uri; content:"recruitcode="; nocase; http_uri; pcre:"/recruitcode\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47046; classtype:web-application-attack; sid:2012658; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_doqment"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"admin.ponygallery.html.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/99278/joomladoqment-rfilfisql.txt; classtype:web-application-attack; sid:2012659; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Portel patron Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/portel/libreria/php/decide.php?"; nocase; http_uri; content:"patron="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/80053/portel-sql.txt; classtype:web-application-attack; sid:2012660; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012661; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012662; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012663; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012664; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/cchatbox.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"messageid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,46635; classtype:web-application-attack; sid:2012665; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_smartformer/smartformer.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/95477/joomlasmartformer-rfi.txt; classtype:web-application-attack; sid:2012666; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_mediamall"; nocase; http_uri; content:"category="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/88439/joomlamediamallfactory-bsql.txt; classtype:web-application-attack; sid:2012667; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/lib/lcUser.php?"; nocase; http_uri; content:"LIBDIR="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/22484; classtype:web-application-attack; sid:2012668; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/mods/ckeditor/filemanager/connectors/php/upload.php?"; nocase; http_uri; content:"CKEditorFuncNum="; nocase; http_uri; pcre:"/CKEditorFuncNum\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99698/ClanSphere2010.3CKEditor-xss.txt; classtype:web-application-attack; sid:2012669; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/plugins/photosmash-galleries/index.php?"; nocase; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99089/photosmash-xss.txt; classtype:web-application-attack; sid:2012670; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UNION SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012673; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa INSERT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012674; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa DELETE"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012675; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa ASCII"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012676; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012677; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/openBrowser.php?"; nocase; http_uri; content:"onload="; nocase; http_uri; pcre:"/onload\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012678; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/we/include/we_modules/shop/edit_shop_editorFrameset.php?"; nocase; http_uri; content:"onload="; http_uri; nocase; pcre:"/onload\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012679; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/we/include/we_modules/messaging/messaging_show_folder_content.php?"; nocase; http_uri; content:"we_transaction="; nocase; http_uri; pcre:"/we_transaction\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012680; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/we/include/weTracking/econda/weEcondaImplement.inc.php?"; http_uri; nocase; content:"shop_artikelid="; http_uri; nocase; pcre:"/shop_artikelid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012681; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Checkin version 1.3.25 or later"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=vK6yv+"; http_client_body; depth:11; classtype:trojan-activity; sid:2012686; rev:4;) alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"; flow:established; dsize:<160; content:"Microsoft Windows [Version "; depth:30; content:"Copyright (c)"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2012690; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; file_data; content:"

Your current User-Agent string appears to be from an automated process,"; distance:0; classtype:trojan-activity; sid:2012692; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE overtls.com adware request"; flow:to_server,established; content:"/sidebar.asp?bn=0&qy="; http_uri; content:"EmbeddedWB"; http_header; classtype:trojan-activity; sid:2012693; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"|2E|xxx|0D 0A|"; fast_pattern; http_header; within:100; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious User Agent (Lotto)"; flow:to_server,established; content:"User-Agent|3a| Lotto"; http_header; classtype:trojan-activity; sid:2012695; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV InstallInternetProtection Download"; flow:established,from_server; content:"|3b 20|filename=|22|InstallInternetProtection_"; http_header; nocase; classtype:trojan-activity; sid:2012696; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_virtuemart"; http_uri; content:"page="; http_uri; content:"substring"; http_uri; reference:url,exploit-db.com/exploits/17132; classtype:web-application-attack; sid:2012697; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012698; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012699; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012700; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012701; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/samples/with_db/loaddetails.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012702; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100324; classtype:web-application-attack; sid:2012703; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100325; classtype:web-application-attack; sid:2012704; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/wp-publication-archive/includes/openfile.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43067; reference:url,securelist.com/en/advisories/43067; classtype:web-application-attack; sid:2012705; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vtigerservice.php?"; nocase; http_uri; content:"service="; nocase; http_uri; pcre:"/service\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/100183/vtigerCRM5.2.1-XSS.txt; classtype:web-application-attack; sid:2012706; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious double Server Header"; flow:from_server,established; content:"HTTP/1.1 200"; depth:12; content:"Server|3a| Apache"; within:50; content:"Server|3a|nginx"; fast_pattern; within:150; classtype:trojan-activity; sid:2012707; rev:3;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; nocase; classtype:web-application-attack; sid:2012708; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop POS User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Service User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Internet Protection FakeAV checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"php?partner_id="; http_uri; content:"&u="; http_uri; content:"&log_id="; http_uri; content:"&os="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=7710686d03cd3174b6f644434750b22b; classtype:trojan-activity; sid:2012713; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV BestAntivirus2011 Download"; flow:established,from_server; content:"|3b 20|filename=|22|BestAntivirus20"; http_header; nocase; classtype:trojan-activity; sid:2012714; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012715; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012716; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; http_uri; content:"country_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012717; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012718; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012719; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/config/custom/base.ini.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x=\w/Ui"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/filemanager/get_file.php?"; nocase; http_uri; content:"language="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/39517; classtype:web-application-attack; sid:2012721; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability"; flow:established,to_server; content:"/plugins/socialgrid/static/js/inline-admin.js.php?"; nocase; http_uri; content:"default_services="; nocase; http_uri; pcre:"/default_services\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/44256; reference:url,htbridge.ch/advisory/xss_in_socialgrid_wordpress_plugin.html; classtype:web-application-attack; sid:2012722; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo component com_zoom Blind SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_zoom"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/80992/mambozoom-sql.txt; classtype:web-application-attack; sid:2012723; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/classes/file.class.php?"; nocase; http_uri; content:"filePath="; nocase; http_uri; pcre:"/filePath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100525/cituscms-rfi.txt; classtype:web-application-attack; sid:2012724; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/FakeSysdef Rogue AV Checkin"; flow:established,to_server; content:"/dfrg/dfrg"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=f0f750e8f195dcfc8623679ff2df1267; reference:url,www.threatexpert.com/report.aspx?md5=e186e530ebf0aec07f0cd2afd706633c; reference:url,www.threatexpert.com/report.aspx?md5=294a729bb6a8fc266990b4c94eb86359; classtype:trojan-activity; sid:2012725; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"OpenVAS"; http_header; fast_pattern; within:100; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BestAntivirus2011 Fake AV reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?affid="; http_uri; content:"&data="; http_uri; content:"&v="; http_uri; classtype:trojan-activity; sid:2012727; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain .ntkrnlpa.info Lookup"; content:"|08|ntkrnlpa|04|info|00|"; nocase; classtype:trojan-activity; sid:2012729; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup"; content:"|03|ilo|05|brenz|02|pl|00|"; nocase; classtype:trojan-activity; sid:2012730; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding)"; flow:to_server,established; content:"User-Agent|3a| AskPartner"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2012734; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; content:"User-Agent|3a| Babylon"; http_header; fast_pattern:12,7; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cw.cm domain"; flow:established,to_server; content:".cw.cm|0d 0a|"; http_header; classtype:bad-unknown; sid:2012737; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8866|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/taskx.txt"; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ELONFMTLib.ElonFmt"; nocase; distance:0; content:".GetItem1"; nocase; reference:url,exploit-db.com/exploits/17196; classtype:attempted-user; sid:2012742; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/extensions/saurus4/captcha_image.php?"; nocase; http_uri; content:"class_path="; nocase; http_uri; pcre:"/class_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100461/sauruscms-rfi.txt; classtype:web-application-attack; sid:2012743; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Publishing Technology id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/CollectionContent.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/100822/publishingtechnology-sql.txt; classtype:web-application-attack; sid:2012744; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012745; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012746; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012747; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012748; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/model-kits.php?"; nocase; http_uri; content:"akce="; nocase; http_uri; content:"nazev="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012749; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/PluginController.php?"; nocase; http_uri; content:"path="; nocase; http_uri; content:"..%2f"; depth:200; reference:url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt; classtype:web-application-attack; sid:2012750; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 808 (msg:"ET USER_AGENTS suspicious user agent string (changhuatong)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a 20|changhuatong|0d 0a|"; classtype:trojan-activity; sid:2012751; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download"; flow:established,to_client; content:"filename=|22|"; http_header; nocase; content:"antiv"; fast_pattern; nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/Hi"; classtype:trojan-activity; sid:2012753; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; http_uri; content:"-- AND"; http_uri; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; content:"User-Agent|3a 20|CholTBAgent"; http_header; detection_filter:track by_dst, count 4, seconds 20; classtype:trojan-activity; sid:2012757; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|dyndns|03|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012758; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; http_uri; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/Ui"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious user agent (mdms)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| mdms|0d 0a|"; http_header; classtype:trojan-activity; sid:2012761; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious user agent (asd)"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| asd|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2012762; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Possible Hiloti DNS Checkin Message explorer_exe"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2012781; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"StartUpdata.ini"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"active.txt"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA ICONICS WebHMI ActiveX Stack Overflow"; flow:to_client,established; file_data; content:"D25FCAFC-F795-4609-89BB-5F78B4ACAF2C"; nocase; distance:0; content:"SetActiveXGUID"; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D25FCAFC-F795-4609-89BB-5F78B4ACAF2C/si"; reference:url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf; reference:url,www.exploit-db.com/exploits/17240/; classtype:attempted-user; sid:2012787; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012788; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012789; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012790; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012791; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/interna.php?"; nocase; http_uri; content:"txtCodiInfo="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012792; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Xoopport Samsara Sections module secid Parameter Blind SQL Injection Exploit"; flow:established,to_server; content:"POST"; http_method; content:"/modules/sections/index.php?"; nocase; http_uri; content:"op="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15004; classtype:web-application-attack; sid:2012793; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/mods/ckeditor/filemanager/connectors/php/connector.php?"; http_uri; nocase; content:"Command="; nocase; http_uri; content:"Type="; nocase; http_uri; content:"CurrentFolder="; nocase; http_uri; content:"../"; depth:200; reference:bugtraq,47636; classtype:web-application-attack; sid:2012794; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/admin_news_bot.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,securityreason.com/exploitalert/7180; classtype:web-application-attack; sid:2012795; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/lib/jscalendar/test.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt; classtype:web-application-attack; sid:2012797; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; content:"/images2/"; nocase; http_uri; fast_pattern:only; pcre:"/\/images2\/[0-9a-fA-F]{500}/U"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2012799; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup C2 Sending Data to Controller 2"; flow:established,to_server; content:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; http_uri; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012800; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; http_header; fast_pattern:20,20; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012801; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 8.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; http_header; fast_pattern:20,20; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Alms backdoor checkin"; flow:to_server,established; content:"/getnewv.php?keyword=google&id="; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_header; classtype:trojan-activity; sid:2012803; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; file_data; content:"4d5a"; within:4; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:trojan-activity; sid:2012804; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upload-controler.php?"; nocase; http_uri; content:"atm-regen="; nocase; http_uri; content:"../"; depth:200; reference:url,securelist.com/en/advisories/43589; classtype:web-application-attack; sid:2012805; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; file_data; content:"|2f 2f|mshtml|2e|dll"; nocase; distance:0; content:"unescape|28|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad|28|"; within:32; pcre:"/src\s*\x3d\s*\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump attempted access"; flow:established,to_server; content:"/uploads/"; http_uri; content:".wordpress.20"; http_uri; distance:0; content:".xml_.txt"; http_uri; distance:0; fast_pattern; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:attempted-recon; sid:2012808; rev:1;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump successful leakage"; flow:established,from_server; content:"|0d 0a||0d 0a|"; content:"|0d 0a|Content-Type|3a 20|text/plain|0d 0a|"; http_header; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:successful-recon-largescale; sid:2012809; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:to_server,established; content:"Host|3a|"; http_header; content:".tk|0d 0a|"; fast_pattern; within:50; http_header; content:!".tcl.tk|0d 0a|"; http_header; content:!"Host|3a 20|tcl.tk|0d 0a|"; http_header; classtype:bad-unknown; sid:2012810; rev:9;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set"; flow:established,to_client; content:"PDF-"; depth:300; content:".ses"; fast_pattern; nocase; distance:0; flowbits:set,ET_Assassin.ses; flowbits:noalert; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:bad-unknown; sid:2012813; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; fast_pattern:only; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager Blind SQL Injection Attempt"; flow:established,to_server; content:"/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs=|27|waitfor"; nocase; http_uri; content:"delay|27|"; nocase; http_uri; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0960; classtype:web-application-attack; sid:2012818; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager advancedfind.do Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/advancedfind.do?extn="; http_uri; nocase; pcre:"/extn\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012819; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager deviceInstanceName Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/ddv.do?deviceInstanceName="; http_uri; nocase; content:"deviceCapability=deviceCap"; http_uri; nocase; pcre:"/deviceInstanceName\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012820; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/eventmon?cmd="; http_uri; nocase; content:"&dojo.preventCache="; http_uri; nocase; pcre:"/cmd\x3D(filterHelper|getDeviceData\x26group\x3D).+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012821; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon_wrapper.jsp Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?"; http_uri; nocase; content:"Name="; http_uri; nocase; pcre:"/\x2Ejsp\x3F(clusterName|deviceName)\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012822; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager clusterName Reflective XSS Attempt"; flow:established,to_server; content:"/iptm/logicalTopo.do?clusterName="; http_uri; nocase; pcre:"/clusterName\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012823; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Common Services Framework Reflective XSS Attempt"; flow:established,to_server; content:"/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage"; http_uri; nocase; pcre:"/introductionhomepage.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0962; classtype:web-application-attack; sid:2012824; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CiscoWorks Help Servlet Reflective XSS Attempt"; flow:established,to_server; content:"/cwhp/device.center.do?device="; http_uri; nocase; pcre:"/device\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0961; classtype:web-application-attack; sid:2012825; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|vv|02|cc|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012826; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; content:".vv.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012827; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud download"; flow:established,to_server; content:"/peca"; nocase; http_uri; content:".exe"; nocase; http_uri; content:"User-Agent|3a 20|SKOLOVANI"; nocase; http_header; pcre:"/\x2fpeca\d+\x2eexe/Ui"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A; classtype:trojan-activity; sid:2012828; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012829; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012830; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012831; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012832; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; nocase; http_uri; content:"view="; nocase; http_uri; content:"catid="; nocase; http_uri; content:"secid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012833; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/core/show.site.php?"; nocase; http_uri; content:"editprofile"; nocase; http_uri; content:"mod="; nocase; http_uri; content:"AND"; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/select.+substring/Ui"; reference:url,packetstormsecurity.org/files/view/89665/chillycms-sql.txt; reference:url,exploit-db.com/exploits/12643; classtype:web-application-attack; sid:2012834; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/ffileman.cgi?"; nocase; http_uri; content:"direkt="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt; classtype:web-application-attack; sid:2012835; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/src/slooz.php?"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\w/Ui"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_mgm/help.mgm.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/is-human/engine.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type=\w/Ui"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 27889 (msg:"ET TROJAN Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2e|ashx|3f|m|3d|"; content:"|2d|"; distance:2; within:1; content:"|26|mid|3d|"; distance:0; content:"|26|tid|3d|"; distance:0; content:"|26|d|3d|"; distance:0; content:"|26|uid|3d|"; distance:0; content:"|26|t|3d|"; distance:0; reference:url,threatexpert.com/report.aspx?md5=48432bdd116dccb684c8cef84579b963; classtype:trojan-activity; sid:2012839; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Incognito Exploit Kit Checkin"; flow:established,to_server; content:".php|3F|a|3D|QQk"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,blog.fireeye.com/research/2011/03/the-rise-of-incognito.html; classtype:attempted-user; sid:2012841; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=bfbc0b106a440c111a42936906d36643; reference:url,www.threatexpert.com/report.aspx?md5=2190a2c0a3775bc9c60629ec2eb6f3b9; classtype:trojan-activity; sid:2012842; rev:3;) alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Cleartext WordPress Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; classtype:policy-violation; sid:2012843; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; fast_pattern:only; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imsi="; nocase; http_uri; reference:url,learntelecom.com/international-mobile-subscriber-identity-imsi/; classtype:bad-unknown; sid:2012849; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; content:"User-Agent|3A| SimpleClient "; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:11;) alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; fast_pattern:only; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clicker.Win32.AutoIt.ai Checkin"; flow:to_server,established; content:"/getpmnum"; http_uri; content:".asp?"; http_uri; content:"id="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=39d0dbe4f6923ed36864ae339f558963; classtype:trojan-activity; sid:2012867; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; content:"pw|3a| "; nocase; http_header; classtype:policy-violation; sid:2012870; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=|22|upload_file|22|"; http_client_body; content:"URL|3a|"; http_client_body; content:!"elsevier.com"; http_header; classtype:trojan-activity; sid:2012871; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012872; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012873; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012874; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012875; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/code/tce_xml_user_results.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"startdate="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012876; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_handlers/secure_img_handler.php?"; nocase; http_uri; content:"HANDLERS_DIRECTORY="; nocase; http_uri; pcre:"/HANDLERS_DIRECTORY=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012877; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_handlers/secure_img_handler.php?"; nocase; http_uri; content:"IMAGES_DIRECTORY="; nocase; http_uri; pcre:"/IMAGES_DIRECTORY=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012878; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_handlers/secure_img_handler.php?"; nocase; http_uri; content:"imgp="; nocase; http_uri; pcre:"/imgp=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012879; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; http_uri; content:"trackback_url="; nocase; http_uri; pcre:"/trackback_url=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012880; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; http_uri; content:"permLink="; nocase; http_uri; pcre:"/permLink=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012881; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:url,www.threatexpert.com/report.aspx?md5=4b8adc7612e984d12b77f197c59827a2; classtype:trojan-activity; sid:2012882; rev:4;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains passwd= in cleartext"; flow:established,to_server; content:"passwd="; nocase; http_client_body; classtype:policy-violation; sid:2012886; rev:2;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains pass= in cleartext"; flow:established,to_server; content:"pass="; nocase; http_client_body; classtype:policy-violation; sid:2012887; rev:2;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains pwd= in cleartext"; flow:established,to_server; content:"pwd="; nocase; http_client_body; classtype:policy-violation; sid:2012888; rev:2;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains passphrase= in cleartext"; flow:established,to_server; content:"passphrase="; nocase; http_client_body; classtype:policy-violation; sid:2012890; rev:2;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body contains pword= in cleartext"; flow:established,to_server; content:"pword="; nocase; http_client_body; classtype:policy-violation; sid:2012891; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; reference:url,www.threatexpert.com/report.aspx?md5=d6b3baae9fb476f0cf3196e556cab348; classtype:trojan-activity; sid:2012892; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Known Skunkx DDOS Bot User-Agent Cyberdog"; flow:established,to_server; content:"User-Agent|3A| Cyberdog"; http_header; nocase; reference:url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/; classtype:trojan-activity; sid:2012893; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper.Win32.Agent.bpxo Checkin"; flow:established,to_server; content:"|71 4E 6C 39 34 65 66 59 41 7A 32 32 37 4F 71 45 44 4D 50 0A|"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=02e447b347a90680e03c8b7d843a8e46; reference:url,www.antivirus365.org/PCAntivirus/37128.html; classtype:trojan-activity; sid:2012894; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 288 (msg:"ET TROJAN Dropper.Win32.Agent.ahju Checkin"; flow:established,to_server; content:"|44 78 47 54 33 43 6D 42 66 39 73 39 6C 74 62 6A 35 61 4A 7C 0A|"; depth:21; reference:url,www.threatexpert.com/report.aspx?md5=48ad09c574a4bd3bb24d007005382e63; reference:url,www.threatexpert.com/report.aspx?md5=a264690a775a4e1b3d91c2dbcd850ce9; classtype:trojan-activity; sid:2012895; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.ae.am domain"; flow:to_server,established; content:".ae.am|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012896; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.noc.su domain"; flow:to_server,established; content:".noc.su|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012897; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.be.ma domain"; flow:to_server,established; content:".be.ma|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012898; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.qc.cx domain"; flow:to_server,established; content:".qc.cx|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012899; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ae|02|am"; fast_pattern:only; classtype:bad-unknown; sid:2012900; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern:only; classtype:bad-unknown; sid:2012903; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; nocase; distance:0; content:"ICMPSendEchoRequest"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A86F1F2-4921-4C75-AF2C-A1AA241E12BA/si"; reference:url,www.exploit-db.com/exploits/17328/; classtype:attempted-user; sid:2012905; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flowbits:noalert; flow:established,to_client; content:"stream"; content:"|0A|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Compressed Flash Content"; flowbits:noalert; flow:established,to_client; content:"stream"; content:"|0A|CWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)CWS/"; flowbits:set,ET.flash.pdf; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012907; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; reference:url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt; classtype:bad-unknown; sid:2012908; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; content:"WORKED"; http_header; pcre:"/User-Agent\x3a[^\n]+WORKED/H"; classtype:trojan-activity; sid:2012909; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt"; flow:established,to_server; content:"/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; nocase; http_uri; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; classtype:web-application-attack; sid:2012919; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; http_client_body; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service"; flow:to_server,established; urilen:>1400; content:"|2F 3F|P|3D 2A 3F 2A 3F 2A 3F 2A 3F 2A 3F|"; http_uri; pcre:"/(\x2a\x3f){700}/U"; reference:cve,2011-0419; reference:url,cxib.net/stuff/apr_fnmatch.txt; reference:url,bugzilla.redhat.com/show_bug.cgi?id=703390; classtype:attempted-dos; sid:2012926; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; file_data; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; distance:0; content:"url"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Cisco.AnyConnect.VPNWeb.1"; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper/Clicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/nxdtic.txt"; http_uri; classtype:trojan-activity; sid:2012931; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:to_server,established; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=28110a8ea5c13859ddf026db5a8a864a; classtype:trojan-activity; sid:2012932; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Smilebox Software/Adware Checkin"; flow:established,to_server; content:"/trackClientAction.jsp?beacon="; http_uri; content:"&os="; http_uri; content:"&partner="; http_uri; reference:url,www.smilebox.com/privacy-policy.html; classtype:policy-violation; sid:2012933; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:trojan-activity; sid:2012934; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; content:"GET"; http_method; content:"/stream?id="; http_uri; content:"googleusercontent.com|0d 0a|"; http_header; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| ZmEu"; http_header; classtype:trojan-activity; sid:2012936; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"(internal dummy connection)"; http_header; within:100; classtype:trojan-activity; sid:2012937; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|"; within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?v"; http_uri; content:"&tq="; http_uri; content:"User-Agent|3a| mozilla/2.0|0d 0a|"; fast_pattern:10,15; http_header; pcre:"/\.(jpg|png|gif)\?v[0-9]{1,2}=[0-9]+&tq=/U"; classtype:trojan-activity; sid:2012939; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/authenticate/sessions.php?"; nocase; http_uri; content:"globalIncludeFilePath="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/101786/nvisionix-lfi.txt; classtype:web-application-attack; sid:2012945; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/inline-gallery/browser/browser.php?"; nocase; http_uri; content:"do="; nocase; http_uri; pcre:"/do\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46781; classtype:web-application-attack; sid:2012946; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/telecharger.php?"; nocase; http_uri; content:"Fichier_a_telecharger="; nocase; http_uri; pcre:"/Fichier_a_telecharger=\w/Ui"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"view="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/17338; classtype:web-application-attack; sid:2012948; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/scr/soustab.php?"; nocase; http_uri; content:"dsn[phptype]="; nocase; http_uri; content:"../"; depth:200; reference:url,hack0wn.com/view.php?xroot=1440.0&cat=exploits; classtype:web-application-attack; sid:2012949; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"droit.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012950; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/collectivite.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012951; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/utilisateur.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012952; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/courrier.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012953; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/profil.class.php?"; nocase; http_uri; content:"path_om="; nocase; http_uri; pcre:"/path_om=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012954; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.co.tv domain"; flow:to_server,established; content:".co.tv|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012955; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|tv"; fast_pattern:only; classtype:bad-unknown; sid:2012956; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.ZZSlash/Redosdru.E checkin"; flow:established,to_server; content:"|14 00 00 00 04 00 00 00 78 9C 63 60 60 60 00 00 00 04 00 01|"; depth:20; reference:url,www.threatexpert.com/report.aspx?md5=3b0299d72c853f56a1595c855776f89f; reference:url,www.threatexpert.com/report.aspx?md5=adc3a35d1244c9129be6edd6ccfaec5b; classtype:trojan-activity; sid:2012957; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MacShield User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012960; rev:8;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012961; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012962; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012963; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012964; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2012965; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Qakbot Update Request"; flow:established,to_server; content:"/u/upd_"; http_uri; content:"cb"; http_uri; pcre:"/\x2Fu\x2Fupd\x5F(cb|.+\x2Ecb)/U"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012971; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Qakbot Request for Compromised FTP Sites"; flow:established,to_server; content:"/cgi-bin/jl/ad03.pl?pv=2&d="; http_uri; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012972; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Qakbot Webpage Infection Routine POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/jl/ad03.pl"; http_uri; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012973; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Qakbot .cb File Extention FTP Upload"; flow:established,to_server; content:"si_"; content:".cb"; distance:10; within:3; pcre:"/si\x5F[a-z]{5}[0-9]{5}\x2Ecb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012974; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Qakbot Seclog FTP Upload"; flow:established,to_server; content:"seclog_"; content:".kcb"; within:30; pcre:"/seclog\x5F[a-z]{5}[0-9]{5}\x5F.+\x2Ekcb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012975; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; content:"/hpdiags/frontend2/help/search.php?query="; http_uri; nocase; pcre:"/query\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; content:"TRACE "; nocase; depth:6; content:".jsf"; nocase; distance:0; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/accounts/ValidateAnswers?methodToCall=validateAll"; nocase; http_uri; content:"&Hide_Captcha=0"; nocase; content:"&LOGIN_NAME="; nocase; distance:0; content:"&quesList="; nocase; distance:0; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3272; classtype:web-application-attack; sid:2012979; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt"; flow:established,to_server; content:"/EmployeeSearch"; nocase; http_uri; fast_pattern; content:"actionId="; nocase; http_uri; content:"searchString="; http_uri; nocase; pcre:"/searchString\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3274; classtype:web-application-attack; sid:2012980; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible FakeAV Binary Download (Security)"; flow:established,to_client; content:"filename=|22|"; http_header; nocase; content:"security"; fast_pattern; nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*security[^\n]+\.exe/Hi"; content:!"ALLOW-FROM www.onecallnow.com"; http_header; content:!"Content-Type|3a 20|text/xml"; http_header; classtype:trojan-activity; sid:2012981; rev:3;) alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Abuseat.org Block Message"; flow:established,from_server; content:"abuseat.org"; classtype:not-suspicious; sid:2012982; rev:3;) alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:2;) alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2;) alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Message"; flow:established,from_server; content:"robtex.com"; classtype:not-suspicious; sid:2012986; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012987; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012988; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012989; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012990; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012991; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/addons/kcfinder/browse.php?"; nocase; http_uri; content:"CKEditorFuncNum="; nocase; http_uri; pcre:"/CKEditorFuncNum\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,autosectools.com/Advisory/Nakid-CMS-1.0.2-Reflected-Cross-site-Scripting-230; classtype:web-application-attack; sid:2012992; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/pear.php?"; nocase; http_uri; content:"include_path="; nocase; http_uri; pcre:"/include_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012993; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/pear.php?"; nocase; http_uri; content:"_PEAR_PHPDIR="; nocase; http_uri; pcre:"/_PEAR_PHPDIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012994; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_people"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/awstatstotals.php?"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort=\w/Ui"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible https Local File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=https|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012998; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ftp Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ftp|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012999; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ftps|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013000; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=php|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=file|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=data|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013003; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible glob Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=glob|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013004; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible phar Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=phar|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013005; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ssh2 Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ssh2|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013006; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible rar Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=rar|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013007; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible ogg Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=ogg|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013008; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible expect Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=expect|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013009; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY StumbleUpon Submission Detected"; flow:established,to_server; content:"X-SU-Version|3a| "; http_header; threshold: type both, count 2, seconds 300, track by_src; classtype:policy-violation; sid:2013013; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Possible zlib Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=zlib|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013014; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)"; flow:established,to_server; content:"ianxz6zefk72ulzz.onion|0d 0a|"; http_header; nocase; classtype:policy-violation; sid:2013015; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ianxz6zefk72ulzz|05|onion"; fast_pattern:only; classtype:policy-violation; sid:2013016; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; content:"User-Agent|3a| x|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:trojan-activity; sid:2013017; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTMLGET User Agent Detected - Often Linux utility based"; flow:established,to_server; content:"User-Agent|3A| HTMLGET "; http_header; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013018; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/search/sayhi.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"search/rpty.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Secure-Soft.Stealer Checkin"; flow:to_server,established; content:"|0d 0a|Content-Disposition|3A 20|form-data|3B 20|name|3D 22|programm|22 0d 0a 0d 0a|Windows Key|0d 0a|"; http_client_body; fast_pattern:46,20; reference:url,www.threatexpert.com/report.aspx?md5=c86923d90ef91653b0a61eb2fbfae202; reference:url,www.threatexpert.com/report.aspx?md5=0a52131eebbee1df877767875ab32352; classtype:trojan-activity; sid:2013026; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| curl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; content:"User-Agent|3a| libwww-perl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"User-Agent|3a| Python-urllib/"; nocase; http_header; content:!"dropbox.com|0d0a|"; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| EmailSiphon"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013032; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| EmailSiphon"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013033; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; content:" Java/1."; http_header; flowbits:set,ET.http.javaclient; flowbits:noalert; classtype:misc-activity; sid:2013035; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|00 00|"; distance:0; content:"PE|00|"; distance:0; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; content:"POST"; http_method; content:"/ProtocolGW/protocol/"; nocase; http_uri; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/Ui"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; content:"POST"; http_method; content:"action=get&applicationID="; http_client_body; nocase; depth:25; content:"&developerId="; http_client_body; nocase; distance:0; content:"&deviceId="; http_client_body; nocase; distance:0; content:"android.permission"; http_client_body; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; file_data; content:"url=http|3A|//"; nocase; within:11; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DLoader File Download Request Activity"; flow:established,to_server; content:"/load.php?file="; http_uri; pcre:"/\/load\.php\?file=(\d+|(\w+)?grabber(s)?|uploader)(&luck=\d)?$/U"; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28; reference:url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7; reference:url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013045; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DLoader PWS Module Data Upload Activity"; flow:established,to_server; content:"/grabbers.php"; http_uri; content:"logs="; http_client_body; content:"&module=grabbers"; http_client_body; distance:0; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28; reference:url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7; reference:url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013046; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DonBot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gateway/index"; http_uri; content:"|20|HTTP/1.0"; offset:19; depth:9; reference:url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/; classtype:trojan-activity; sid:2013047; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| Binget/"; nocase; http_header; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Binget PHP Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Binget/"; nocase; http_header; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013050; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| pxyscand/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| pxyscand/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013052; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| PyCurl"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS PyCurl Suspicious User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| PyCurl"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013054; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Peach"; nocase; http_header; content:!"User-Agent|3a| PeachTree"; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; content:"User-Agent|3a| PHP/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; content:"User-Agent|3a| PHP/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin"; flow:established,to_server; content:"/api/work/getwork?"; http_uri; depth:18; content:"bitcoinplus.com"; http_header; threshold: type limit, count 2, seconds 300, track by_src; classtype:bad-unknown; sid:2013059; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MacShield FakeAV CnC Communication"; flow:established,to_server; content:"/mac/soft.php?affid="; nocase; http_uri; fast_pattern:only; reference:url,blog.trendmicro.com/obfuscated-ip-addresses-and-affiliate-ids-in-mac-fakeav/; classtype:trojan-activity; sid:2013062; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/search/getty.php"; distance:0; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Tracur.Q HTTP Communication"; flow:to_server,established; content:"GET"; http_method; content:"fQ_fQ_fQ_fQ"; http_uri; reference:url,xml.ssdsandbox.net/view/d2afc3be7357f96834ec684ab329d7e2; classtype:trojan-activity; sid:2013064; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"tSAC|1D 02|"; fast_pattern; content:"|01 00 FF FF 11 11|"; distance:0; reference:url,www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/; classtype:attempted-user; sid:2013070; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:url,threatexpert.com/report.aspx?md5=4860e53b7e71cd57956e10ef48342b5f; classtype:trojan-activity; sid:2013071; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Meredrop Checkin"; flow:established, to_server; content:"POST"; nocase; http_method; content:"praquem="; http_client_body; content:"&titulo="; http_client_body; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:trojan-activity; sid:2013073; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| "; distance:1; within:46; content:"|0d 0a|Host|3a| "; distance:0; content:!"|0d 0a|Referer|3a| "; nocase; content:"/webhp"; http_uri; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013076; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013080; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013081; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013082; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013083; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/showcats.php?"; nocase; http_uri; content:"sbcat_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,46048; classtype:web-application-attack; sid:2013084; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability"; flow:established,to_server; content:"/templates/admin_default/confirm.tpl.php?"; nocase; http_uri; content:"nsextt="; nocase; http_uri; pcre:"/nsextt\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,seclists.org/bugtraq/2011/Jun/59; classtype:web-application-attack; sid:2013085; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/xperience.php?"; nocase; http_uri; content:"sortfield="; nocase; http_uri; content:"sortorder="; nocase; http_uri; pcre:"/sortorder\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/102001/xperience-xss.txt; classtype:web-application-attack; sid:2013086; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/FCKeditor/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013087; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/tinymce/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013088; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^\x7c?\d/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:trojan-activity; sid:2013090; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; pcre:"/\.dyndns-(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2013096; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; fast_pattern; http_header; content:!" checkip.dyndns."; http_header; pcre:"/Host\x3a [^\n]+\.dyndns\.(biz|info|org|tv)\x0d\x0a/iH"; classtype:bad-unknown; sid:2013097; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/security/useredit.action?"; nocase; http_uri; content:"username="; nocase; http_uri; pcre:"/username\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013099; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/security/roleedit.action?"; nocase; http_uri; content:"name="; nocase; http_uri; pcre:"/name\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013100; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/security/userlist!show.action?"; nocase; http_uri; content:"roleName="; nocase; http_uri; pcre:"/roleName\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013101; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/deleteArtifact!doDelete.action?"; nocase; http_uri; content:"groupId="; nocase; http_uri; pcre:"/groupId\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013102; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addLegacyArtifactPath!commit.action?"; nocase; http_uri; content:"legacyArtifactPath.path="; nocase; http_uri; pcre:"/legacyArtifactPath.path\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013103; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/deleteNetworkProxy!confirm.action?"; nocase; http_uri; content:"proxyid="; nocase; http_uri; pcre:"/proxyid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013104; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addRepository.action"; nocase; http_uri; content:"repository.id="; nocase; http_uri; pcre:"/repository.id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt; classtype:web-application-attack; sid:2013105; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/confirmDeleteRepository.action?"; nocase; http_uri; content:"repoid="; nocase; http_uri; pcre:"/repoid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt; classtype:web-application-attack; sid:2013106; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/editAppearance.action"; nocase; http_uri; content:"organisationName="; nocase; http_uri; pcre:"/organisationName\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013107; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addLegacyArtifactPath.action"; nocase; http_uri; content:"legacyArtifactPath.path="; nocase; http_uri; pcre:"/legacyArtifactPath.path\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013108; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/addNetworkProxy.action"; nocase; http_uri; content:"proxy.id="; nocase; http_uri; pcre:"/proxy.id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013109; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/networkProxies.action"; nocase; http_uri; content:"proxy.id="; nocase; http_uri; pcre:"/proxy.id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013110; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/legacyArtifactPath.action"; nocase; http_uri; content:"legacyArtifactPath.path="; nocase; http_uri; pcre:"/legacyArtifactPath.path\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013111; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt"; flow:established,to_server; content:"/archiva/admin/configureAppearance.action"; nocase; http_uri; content:"organisationName="; nocase; http_uri; pcre:"/organisationName\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013112; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Vilsel Checkin"; flow:to_server,established; content:"/isup.php?v="; http_uri; content:"&sox="; http_uri; reference:url,www.malware-control.com/statics-pages/5de2e2f56e5277cfe3d44299ab496648.php; reference:url,www.malware-control.com/statics-pages/87290c3019b7dbac0d7d2e15f03572ba.php; classtype:trojan-activity; sid:2013114; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; content:"GET /muieblackcat HTTP/1.1"; depth:26; classtype:attempted-recon; sid:2013115; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Potential muieblackcat scanner double-URI and HTTP library"; flow:established,to_server; content:"GET //"; depth:6; fast_pattern; content:"HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Accept-Language|3a| en-us|0d 0a|Accept-Encoding|3a| gzip, deflate|0d 0a|Host|3a| "; http_header; content:"|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; distance:0; classtype:attempted-recon; sid:2013116; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"orderby="; nocase; http_uri; pcre:"/orderby\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vilsel.ayjv Checkin (aid)"; flow:to_server,established; content:"?aid="; http_uri; content:"&si="; http_uri; content:"&rd="; http_uri; pcre:"/&si=\d+&si=\d+&rd=20\d{11}/U"; classtype:trojan-activity; sid:2013122; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; content:".co.be|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013123; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|be"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013124; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013125; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013126; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013127; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013128; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/minbrowse.php?"; nocase; http_uri; content:"search="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013129; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79956462-F148-497F-B247-DF35A095F80B/si"; reference:url,exploit-db.com/exploits/17415/; reference:cve,2008-2683; classtype:attempted-user; sid:2013130; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013131; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013132; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vBTube.php?"; nocase; http_uri; content:"do="; nocase; http_uri; content:"vidid="; nocase; http_uri; pcre:"/vidid\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013133; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vBTube.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"do="; nocase; http_uri; content:"uname="; nocase; http_uri; pcre:"/uname\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013134; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeAlert.Rena.n Checkin Flowbit set"; flow:established,to_server; content:"/1020000"; http_uri; depth:8; content:" HTTP/1.0|0d 0a|"; http_header; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:trojan-activity; sid:2013135; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV FakeAlertRena.n Checkin Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; dsize:<200; content:"Content-Length|3a| 2|0d 0a|"; http_header; file_data; content:"OK"; within:2; classtype:trojan-activity; sid:2013136; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; content:""; http_client_body; nocase; content:"<|2F|IMEI>"; nocase; distance:0; http_client_body; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:""; http_client_body; nocase; content:"<|2F|IMSI"; nocase; http_client_body; distance:0; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; content:"php?type=stats&affid="; http_uri; content:"&subid="; http_uri; content:"&version="; http_uri; content:"&adwareok"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2013149; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ZyXEL ZyWALL LoginPassword/HiddenPassword Cross Site Scripting Attempt"; flow:established,to_server; content:"/Forms/rpAuth"; nocase; http_uri; content:"nPassword="; nocase; http_uri; pcre:"/(Loging|Hidden)Password\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:cve,2011-2466; classtype:web-application-attack; sid:2013150; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern:only; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern:only; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:trojan-activity; sid:2013154; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; fast_pattern:19,20; content:"pid="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013156; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013157; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013158; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013159; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX CygniCon CyViewer ActiveX Control SaveData Insecure Method Vulnerability"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A6FC2988-16BE-4053-BE89-F562431FD6ED/si"; reference:bugtraq,48483; classtype:attempted-user; sid:2013160; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX Initialize method Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013161; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX RunCore method Buffer Overflow Vulnerability"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013162; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Imaging LEADSmtp ActiveX SaveMessage Method Vulnerability"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F/si"; reference:bugtraq,48408; classtype:attempted-user; sid:2013163; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webcat web_id Parameter Blind SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/ecat/cms_view.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"web_id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/17444; classtype:web-application-attack; sid:2013164; rev:2;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:1;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Bot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gateway/index"; http_uri; content:"botver="; content:"&build="; content:"&profile="; reference:url,www.threatexpert.com/report.aspx?md5=be3aed34928cb826030b462279a1c453; classtype:trojan-activity; sid:2013168; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Communication 2"; flow:established,to_server; content:"?user_id="; http_uri; content:"&version_id="; http_uri; content:"&sys="; http_uri; classtype:trojan-activity; sid:2013169; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.cu.cc domain"; flow:established,to_server; content:".cu.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013170; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; content:"User-Agent|3a| DominoHunter"; nocase; http_header; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cu|02|cc"; fast_pattern; classtype:bad-unknown; sid:2013172; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013173; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"User-Agent|3a| Egypack"; nocase; http_header; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013176; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Long Fake wget 3.0 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:"wget 3.0"; fast_pattern; distance:10; within:100; http_header; classtype:trojan-activity; sid:2013178; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; depth:14; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; http_uri; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidetab or Related Trojan Checkin"; flow:established,to_server; content:"/install.asp?"; http_uri; content:"version="; http_uri; content:"&id="; http_uri; content:"&mac="; http_uri; content:".co.kr|0d 0a|"; http_header; classtype:trojan-activity; sid:2013182; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Artro Downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| wget 3.0|3b| rv|3a|5.0) Gecko/20100101 Firefox/5.0"; http_header; fast_pattern:65,20; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:trojan-activity; sid:2013184; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| ICS)"; fast_pattern:20,20; http_header; content:"para="; http_client_body; depth:5; content:"&subject="; http_client_body; content:"&dados="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; reference:url,www.threatexpert.com/report.aspx?md5=c8b3d2bc407b0260b40b7f97e504faa5; classtype:trojan-activity; sid:2013185; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:".php?"; http_uri; content:"=v"; http_uri; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/U"; content:"data="; http_client_body; depth:5; content:"wget"; nocase; http_header; fast_pattern:only; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:17;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|minerva|05|cdmon|03|org"; fast_pattern; distance:0; nocase; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.threatexpert.com/report.aspx?md5=13e43c44681ba9acb8fd42217bd3dbd2; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; classtype:misc-activity; sid:2013187; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; content:"User-Agent|3a| Installer Ping"; http_header; classtype:trojan-activity; sid:2013190; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; file_data; content:"http|3A|//"; nocase; distance:0; content:"http|3A|//"; nocase; distance:0; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Genome Initial Checkin"; flow:established,to_server; content:"/?uid="; http_uri; content:"&aid="; http_uri; content:"&linkuid="; http_uri; classtype:trojan-activity; sid:2013196; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Genome Download.php HTTP Request"; flow:established,to_server; content:"GET /download.php?nd="; depth:21; content:"&id="; distance:3; within:6; classtype:trojan-activity; sid:2013197; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Hacktool.Sniffer Initial Checkin"; flow:established,to_server; content:"/username.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013198; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Malware patchlist.xml Request"; flow:established,to_server; content:"/update/patchlist.xml"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013200; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rodecap CnC Checkin"; flow:established,to_server; content:".cgi?s"; http_uri; content:"&r="; http_uri; content:!"Accept|3a| "; http_header; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; content:!"Referer|3a| "; http_header; content:"User-Agent|3a 20 2d 0d 0a|"; fast_pattern:10,5; http_header; pcre:"/\.cgi\?s(id)?=\d{1,12}&r=/U"; classtype:trojan-activity; sid:2013201; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Fosniw MacTryCnt CnC Style Checkin"; flow:established,to_server; content:"&logdata=MacTryCnt|3A|"; http_uri; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:trojan-activity; sid:2013202; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Fosniw CnC Checkin Style 2"; flow:established,to_server; content:".asp?prj="; http_uri; content:"&pid="; http_uri; content:"&mac="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:trojan-activity; sid:2013203; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.FakeAV POST datan.php"; flow:established,to_server; content:"/datan.php"; http_uri; content:!"User-Agent|3A 20|"; http_header; nocase; classtype:trojan-activity; sid:2013206; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Internet Connectivity Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/geo/productid.php"; http_uri; depth:18; content:"adobe.com"; http_header; content:"Opera/"; http_header; content:"Pesto/"; http_header; classtype:trojan-activity; sid:2013207; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Mobile Malware Posting Device Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; classtype:trojan-activity; sid:2013208; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/Coop/request"; within:15; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Esion CnC Checkin"; flow:established,to_server; content:"/bot/gate.php"; http_uri; fast_pattern:only; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2; classtype:trojan-activity; sid:2013211; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Meciv Checkin"; flow:established,to_server; content:"/trandocs/netstat"; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2013212; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; content:"Host|3a| "; http_header; content:".3322.org|0D 0A|"; within:50; http_header; classtype:misc-activity; sid:2013213; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:trojan-activity; sid:2013214; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; content:"myip.ozymo.com"; fast_pattern:only; nocase; http_header; classtype:attempted-recon; sid:2013217; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; content:"8866.org"; nocase; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2E8866.org/Hi"; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sefnit Initial Checkin"; flow:established,to_server; content:"/version.php?ver="; http_uri; content:"&app="; http_uri; content:"User-Agent|3A| NSISDL"; http_header; classtype:trojan-activity; sid:2013221; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe|0d 0a|"; fast_pattern:only; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; content:!"CTX_"; http_uri; content:!"gfi.com|0d 0a|"; http_header; content:!"pandasoftware.com"; http_header; content:!"lnssatt.exe"; http_header; classtype:trojan-activity; sid:2013224; rev:15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/IRCBrute Checkin 2"; flow:established,to_server; content:"/Dialer_Min/telcom.asp"; nocase; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-IRB/detailed-analysis.aspx; classtype:trojan-activity; sid:2013225; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/annonce.php?"; nocase; http_uri; content:"secteur="; nocase; http_uri; pcre:"/secteur\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013226; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013227; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013228; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013229; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013230; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013231; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IDrive Online Backup ActiveX control SaveToFile Insecure Method"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E/si"; reference:url,htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html; classtype:attempted-user; sid:2013232; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Control SaveDecrypted Insecure Method Vulnerability"; flow:to_client,established; file_data; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B70AB61-5C95-4126-9985-A32531CA8619/si"; reference:bugtraq,48585; classtype:attempted-user; sid:2013233; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/kbcat.cgi?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"or"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/or.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt; classtype:web-application-attack; sid:2013234; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SweetIM Install in Progress"; flow:established,to_server; content:"/download/install/silent/SSweetIMSetup.CIS"; nocase; http_uri; classtype:trojan-activity; sid:2013243; rev:1;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ruskill/Palevo Download Command"; flow:established,to_server; content:"PRIVMSG #"; depth:9; content:"|3a 5b|d=|22|http|3a|//"; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=2d69d8d243499ab53b840c64f68cc830; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013245; rev:3;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ruskill/Palevo CnC PONG"; flow:established,to_server; content:"PONG |3a|hub.us.com"; depth:16; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013246; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ruskill/Palevo KCIK IRC Command"; flow:established,to_server; content:"KCIK |7b|"; depth:6; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013247; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]+Vega\x2F/H"; detection_filter:track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yandexbot Request Outbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:trojan-activity; sid:2013254; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013256; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server;content:"User-Agent|3a|Mozilla"; http_header; content:"|3b| MyIE "; fast_pattern; http_header; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Guagua Trojan Update Checkin"; flow:established,to_server; content:"/update_check?version="; http_uri; content:"User-Agent|3A| Update"; http_header; classtype:trojan-activity; sid:2013259; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nekill Checkin"; flow:established,to_server; content:"?v="; http_uri; content:"&mid="; http_uri; content:"&r1="; http_uri; content:"&tm="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&uid="; http_uri; content:"&cht="; http_uri; content:"&sn="; http_uri; reference:url,blog.emergingthreatspro.com/2011/07/bot-of-day-nekilla.html; classtype:trojan-activity; sid:2013260; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:1;) alert tcp any any -> $HOME_NET 21 (msg:"ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)"; flow:to_server,established; content:"pass nessus@"; fast_pattern:only; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=10079; reference:url,osvdb.org/show/osvdb/69; classtype:attempted-recon; sid:2013263; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl)"; flow:to_server,established; content:"MKD"; nocase; depth:3; content:"Nessus"; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=19782; reference:url,osvdb.org/show/osvdb/76; classtype:attempted-recon; sid:2013264; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:""; content:""; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; fast_pattern:only; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; fast_pattern:only; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"|38 45 41 34 41 42 30 35 46 41 37 45|"; flowbits:set,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Jadtre Retrieving Cfg File"; flow:established,to_server; content:"/tool/mavatarcfg/"; http_uri; content:".cfg"; http_uri; pcre:"/\x2F(data|main|patch)\x2Ecfg/U"; classtype:trojan-activity; sid:2013286; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Papras Banking Trojan Checkin"; flow:established,to_server; content:"|4e 2a 43 cc 01 c0 2a 77|"; depth:23; http_client_body; content:"POST"; nocase; http_method; reference:url,www.threatexpert.com/report.aspx?md5=85d82c840f4b90fcb6d5311f501374ca; classtype:trojan-activity; sid:2013287; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET"; flow:established,to_server; content:" CFNetwork/"; http_header; fast_pattern:only; content:" Darwin/"; http_header; content:"UDID"; http_uri; pcre:"/[0-9a-f]{40}[^0-9a-f]/U"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013290; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cycbot Pay-Per-Install Executable Download"; flow:established,to_server; content:"/adv.php?login="; http_uri; content:"&key="; http_uri; content:"&subacc="; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:trojan-activity; sid:2013291; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cycbot Initial Checkin to CnC"; flow:established,to_server; content:"id="; http_uri; content:"&hwid="; http_uri; content:"&step="; http_uri; content:"&wd="; http_uri; content:"&av="; fast_pattern; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:trojan-activity; sid:2013292; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Glupteba CnC Checkin"; flow:established,to_server; content:"&downlink="; offset:4; depth:100; content:"&uplink="; distance:0; content:"&id="; distance:0; content:"&statpass="; fast_pattern; distance:0; content:"&version="; distance:0; content:"&features="; distance:0; content:"&guid="; distance:0; content:"&comment="; distance:0; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:trojan-activity; sid:2013293; rev:3;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Snake Oil CA"; classtype:policy-violation; sid:2013295; rev:2;) alert tcp any [$HTTP_PORTS,443,8834] -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; content:"|16 03 01|"; content:"|0b|"; within:6; content:"Nessus Certification Authority"; nocase; classtype:bad-unknown; sid:2013298; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|30 2b 06 03 55 04 03 13 24|DivX, Inc. Certificate Authority"; distance:0; classtype:policy-violation; sid:2013300; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013303; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013304; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013305; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013306; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules.php?"; nocase; http_uri; content:"name=Tutorials"; nocase; http_uri; content:"t_op=showtutorial"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013307; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013308; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013309; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern:55,20; nocase; http_uri; content:"title="; nocase; http_uri; pcre:"/title\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; content:".dlinkddns.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013311; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Ponmocup Driveby Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/se/"; nocase; http_uri; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ui"; reference:url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt; classtype:bad-unknown; sid:2013312; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Phoenix Landing Page Obfuscated Javascript 2"; flow:established,to_client; file_data; content:"/R"; classtype:trojan-activity; sid:2013314; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; content:!".maxthon.com"; http_header; pcre:"/^User-Agent\x3a Agent\d{5,6}\r?$/Hmi"; classtype:trojan-activity; sid:2013315; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:""; content:""; content:"<|2F|mobile>"; fast_pattern; within:50; content:""; distance:0; content:""; distance:0; content:""; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Google Warning Infected Local User"; flow:established,from_server; file_data; content:"It appears that your computer is infected with software that intercepts your connection to Google and other sites."; distance:0; classtype:trojan-activity; sid:2013318; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/mfc71"; http_uri; nocase; pcre:"/mfc71[a-z]{2,3}\x2Edll/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"f0="; http_client_body; depth:3; content:"&b0="; distance:0; http_client_body; content:"&pid="; distance:0; http_client_body; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ruskill CnC Download Command 1"; flow:established,to_client; content:"|3a|["; depth:2; content:".r.getfile http|3a|//"; distance:0; classtype:trojan-activity; sid:2013329; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ruskill CnC Download Command 2"; flow:established,to_client; content:"|3a|n"; depth:2; content:"on .dl http|3a|//"; distance:0; classtype:trojan-activity; sid:2013330; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ruskill Reporting on Local Scans"; flow:established,to_server; content:"PRRVMSG"; depth:7; content:"Port Scan started on"; distance:0; content:"with a delay of"; distance:0; classtype:trojan-activity; sid:2013331; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Landing Page"; flow:established,to_server; content:".cgi?p="; http_uri; content:"&i="; http_uri; content:"&j="; http_uri; content:"&m="; http_uri; content:"&h="; http_uri; content:"&u="; http_uri; content:"&q="; http_uri; content:"&t=201"; http_uri; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23514; classtype:trojan-activity; sid:2013332; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; content:"User-Agent|3a| Search Toolbar"; http_header; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:trojan-activity; sid:2013333; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; content:"Mozilla/5.0 (iPhone"; http_header; content:" OS 4_"; http_header; distance:0; content:!"OS 4_2_1 like"; http_header; pcre:"/OS 4_2_[0-9] like/H"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.E Keepalive to CnC"; flow:established,to_server; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:url,www.threatexpert.com/report.aspx?md5=fc414168a5b4ca074ea6e03f770659ef; classtype:trojan-activity; sid:2013337; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose Client Checkin"; flow:established,to_server; content:"|00 00 99 4F B9 74 E2 75 94 0A 5A|"; offset:2; depth:11; classtype:trojan-activity; sid:2013338; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.FakeAV.Rean Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1.0|0d 0a|"; depth:26; pcre:"/\/\d{10}$/U"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)|0d 0a|"; fast_pattern:23,20; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0a998a070beb287524f9be6dd650c959; classtype:trojan-activity; sid:2013339; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"|2f 3f|data="; http_uri; nocase; content:"jpdesk.com|0d 0a|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:url,www.threatexpert.com/report.aspx?md5=08f116cf4feff245dca581244e4f509c; classtype:trojan-activity; sid:2013340; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisproc Variant POST to CnC Server"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/GetGrid.asp"; http_uri; content:"SN="; http_client_body; depth:3; content:"&SP="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628; classtype:trojan-activity; sid:2013342; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to_server; content:".php?aid="; http_uri; content:"&uncv="; http_uri; content:"&skey="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5= 00068992bc003713058a17d50d9e3e14; classtype:trojan-activity; sid:2013345; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN PSW.Win32.Ruftar.lon File Stealer FTP File Upload"; flow:established,to_server; content:"CWD Stealer"; depth:11; classtype:trojan-activity; sid:2013346; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:trojan-activity; sid:2013348; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern:18,20; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Connectivity Check of Unknown Origin 3"; flow:to_server,established; content:"GET"; http_method; content:"/images/logo.gif"; http_uri; urilen:16; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.study-centers.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; fast_pattern:45,20; depth:92; classtype:trojan-activity; sid:2013351; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Executable Download Purporting to be JavaScript likely 2nd stage Infection"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a| application/x-javascript"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:trojan-activity; sid:2013352; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013362; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN windows_security_update Fake AV download"; flow:established,from_server; file_data; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; content:"PUT"; http_method; content:".|3a 3a|[+] Defaced by "; nocase; http_client_body; classtype:web-application-attack; sid:2013365; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Checkin"; flow:established,to_server; content:"/ping.php?v="; http_uri; content:"&cid="; http_uri; content:"&s="; http_uri; content:"&wid="; http_uri; content:"&fid="; http_uri; content:"&step="; http_uri; classtype:trojan-activity; sid:2013366; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyloggerOnline Keylogger Checkin (kill)"; flow:established,to_server; content:"/kill/"; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Internet Explorer|0d 0a|Host|3a| "; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:trojan-activity; sid:2013367; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyloggerOnline Keylogger Checkin (sleep)"; flow:established,to_server; content:"/sleep"; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Internet Explorer|0d 0a|Host|3a| "; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:trojan-activity; sid:2013368; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyloggerOnline Keylogger Checkin (go https)"; flow:established,to_server; content:"/https"; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Internet Explorer|0d 0a|Host|3a| "; content:!"|0d 0a|Accept"; reference:url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef; classtype:trojan-activity; sid:2013369; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Oliga Fake User Agent"; flow:established,to_server; content:"User-Agent|3A| Mozilla/4.75 [en]"; http_header; fast_pattern:11,18; content:!"Linux"; http_header; classtype:trojan-activity; sid:2013372; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV oms.php Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/oms.php"; http_uri; content:"data="; http_client_body; depth:5; classtype:trojan-activity; sid:2013373; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV User-Agent XML"; flow:established,to_server; content:"User-Agent|3A| XML|0D 0A|"; http_header; classtype:trojan-activity; sid:2013374; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nolja Trojan Downloader Initial Checkin"; flow:established,to_server; content:"/info.php?pid="; http_uri; content:"&bo_table="; http_uri; content:"&wr_id="; http_uri; content:"&mac="; http_uri; classtype:trojan-activity; sid:2013375; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nolja Trojan User-Agent (FileNolja)"; flow:established,to_server; content:"FileNolja"; http_header; nocase; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*FileNolja/Hi"; classtype:trojan-activity; sid:2013376; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Alunik User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| Alun4ik"; http_header; classtype:trojan-activity; sid:2013377; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.de.ms domain"; flow:to_server,established; content:".de.ms|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013378; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern:only; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:trojan-activity; sid:2013382; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fakealert.Rena CnC Checkin 1"; flow:established,to_server; content:"/images/thanks_25.php?id="; fast_pattern:only; content:"HTTP/1.1|0d 0a|User-Agent"; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2013383; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Siscos CnC Checkin"; flow:established,to_server; content:"/getcommand.php?getcmd="; http_uri; content:"&uid="; http_uri; content:"&port="; http_uri; classtype:trojan-activity; sid:2013384; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Accept-encode HTTP header with UA indicating infected host"; flow:established,to_server; content:"Accept-encode|3a| "; fast_pattern; http_header; content:"Accept-Encoding|3a| "; http_header; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; sid:2013385; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; content:"==/count.htm"; http_uri; reference:url,threatexpert.com/reports.aspx?find=03abdc31d0f864c7b69b09d6481d3ff7; classtype:trojan-activity; sid:2013386; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"User-Agent|3A 20|Ryeol HTTP Client Class"; http_header; classtype:trojan-activity; sid:2013387; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent|3A| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:trojan-activity; sid:2013389; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent 3653Client"; flow:established,to_server; content:"User-Agent|3A 20|3653Client"; http_header; classtype:trojan-activity; sid:2013390; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ufasoft bitcoin Related User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|Ufasoft"; http_header; classtype:trojan-activity; sid:2013391; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hupigon.B User Agent TSDownload"; flow:established,to_server; content:"User-Agent|3A 20|TSDownload"; http_header; classtype:trojan-activity; sid:2013392; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SpeedRunner User-Agent SRRemove"; flow:established,to_server; content:"User-Agent|3A| SRRemove"; http_header; classtype:trojan-activity; sid:2013394; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent _updater_agent"; flow:established,to_server; content:"User-Agent|3A 20|_updater_agent"; http_header; classtype:trojan-activity; sid:2013395; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Skintrim CnC Checkin"; flow:established,to_server; content:"/binaries/bin.php?id="; http_uri; content:"&plateform="; http_uri; content:"&mh="; http_uri; content:"&me="; http_uri; classtype:trojan-activity; sid:2013396; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Pandex Trojan Dropper Initial Checkin"; flow:established,to_server; content:"?r="; http_uri; content:"&hdd="; http_uri; content:"&gen="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2013397; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Momibot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; content:"byE8PCdtbzE6PTU8czo3"; http_client_body; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:trojan-activity; sid:2013398; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Momibot Ping Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; content:"byE8PCdtbyM6PTRzOjdu"; http_client_body; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:trojan-activity; sid:2013399; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; content:"GET"; http_method; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; http_uri; classtype:policy-violation; sid:2013400; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Winshow User Agent"; flow:established,to_server; content:"User-Agent|3A 20|WinShow Installer"; http_header; classtype:trojan-activity; sid:2013401; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent|3A 20|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; content:"Mozilla/5.0 |28|iPhone"; http_header; content:" OS 4_"; http_header; distance:0; content:!"OS 4_2_1 like"; http_header; pcre:"/OS 4_2_[0-9] like/H"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013408; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET TROJAN Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 20 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; classtype:trojan-activity; sid:2013411; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.co.com.au domain"; flow:to_server,established; content:".co.com.au|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013412; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; fast_pattern:only; classtype:trojan-activity; sid:2013413; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013415; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; content:"GET //"; fast_pattern; depth:6; content:"HTTP/1.1|0d 0a|TE|3a| deflate,gzip|3b|q=0.3|0d 0a|Connection|3a| TE, close|0d 0a|Host|3a| "; content:"User-Agent|3a| "; within:100; content:!"libwww-perl/"; http_header; pcre:"/^TE\x3a deflate,gzip\x3bq=0\.3\r\nHost\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n$/H"; threshold:type threshold, track by_dst, count 10,seconds 20; classtype:attempted-recon; sid:2013416; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2"; flow:established,to_server; content:".php?id="; http_uri; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla"; content:"|0d 0a|Host|3a| "; within:100; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:60; content:!"Accept"; http_header; pcre:"/\.php\?id=\d{2,4}$/U"; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:trojan-activity; sid:2013419; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV FakeAlertRena.n Checkin NO Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; dsize:<200; content:"Content-Length|3a| 2|0d 0a|"; http_header; file_data; content:"NO"; within:2; classtype:trojan-activity; sid:2013420; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; content:"go2000.cn"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*go2000\x2Ecn/Hi"; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:trojan-activity; sid:2013422; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN User-Agent in Referer Field - Likely Malware"; flow:established,to_server; content:"Referer|3A 20|Mozilla/4.0 "; http_header; classtype:trojan-activity; sid:2013423; rev:7;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=eshop-templates.php"; nocase; http_uri; content:"eshoptemplate="; nocase; http_uri; pcre:"/eshoptemplate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013425; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=eshop-orders.php"; nocase; http_uri; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013426; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=eshop-orders.php"; nocase; http_uri; content:"viewemail="; nocase; http_uri; pcre:"/viewemail\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013427; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 1"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6C10489-FB89-11D4-93C9-006008A7EED4/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013428; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 2"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013429; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 3"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013430; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 4"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013431; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013432; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jfeedback"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,xforce.iss.net/xforce/xfdb/57654; classtype:web-application-attack; sid:2013433; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability"; flow:established,to_server; content:"/snarf_ajax.php?"; nocase; http_uri; content:"url="; http_uri; content:"ajax="; nocase; http_uri; pcre:"/ajax\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/103179/tikiwiki7-xss.txt; classtype:web-application-attack; sid:2013434; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 20|MSIE 2.0|3b|"; http_header; fast_pattern:36,9; content:"Referer|3a 20|http|3a 2f 2f|www.google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013435; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Redirection to driveby Page Home index.php"; flow:established,from_server; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; classtype:bad-unknown; sid:2013436; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013438; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0"; content:"k="; fast_pattern; depth:2; http_client_body; pcre:"/k=\d{15}/P"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:trojan-activity; sid:2013439; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mnless Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"cpname="; http_client_body; depth:7; content:"&hardid="; distance:0; http_client_body; content:"&netid="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&sname="; distance:0; http_client_body; content:"&ver="; distance:0; http_client_body; content:"&val="; distance:0; http_client_body; classtype:trojan-activity; sid:2013443; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Onescan FraudWare User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|test_hInternet"; http_header; classtype:trojan-activity; sid:2013444; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/NetShare User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|netsharingsite.com"; http_header; classtype:trojan-activity; sid:2013445; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 882 (msg:"ET TROJAN Win32/TrojanDownloader.Chekafe.D User-Agent my_check_data On Off HTTP Port"; flow:established,to_server; content:"User-Agent|3A 20|my_check_data"; fast_pattern:only; classtype:trojan-activity; sid:2013446; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 882 (msg:"ET TROJAN Win32/TrojanDownloader.Chekafe.D Initial Checkin"; flow:established,to_server; content:"/count.php?id="; content:"&isInst="; distance:0; content:"&lockcode="; distance:0; content:"&pc="; distance:0; content:"&PcType="; distance:0; content:"&AvName="; distance:0; content:"&ProCount="; distance:0; classtype:trojan-activity; sid:2013447; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:trojan-activity; sid:2013448; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Troxen Downloader Checkin"; flow:established,to_server; content:"/active_count.php?"; http_uri; content:"?mac="; http_uri; content:"&pid="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=c936b15a8f7a3732bc16ee36693831ec; classtype:trojan-activity; sid:2013450; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; depth:11; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:trojan-activity; sid:2013451; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (go-diva)"; flow:to_server,established; content:"User-Agent|3a| go-diva"; http_header; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:trojan-activity; sid:2013452; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"/softwareProductLink?"; http_uri; content:"productSetId="; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer|3a| "; http_header; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"Report?"; http_uri; content:"Id="; http_uri; content:!"User-Agent: "; http_header; content:!"Referer: "; http_header; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (GUIDTracker)"; flow:to_server,established; content:"User-Agent|3a| GUIDTracker"; http_header; reference:url,threatexpert.com/report.aspx?md5=7a8807f4de0999dba66a8749b2366def; classtype:trojan-activity; sid:2013455; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:trojan-activity; sid:2013456; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]*BitCoin/Hi"; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.c0m.li domain"; flow:to_server,established; content:".c0m.li|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013460; rev:2;) alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Win32/Wizpop Initial Checkin"; flow:established,to_server; content:"User-Agent|3a| WizPop"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:trojan-activity; sid:2013461; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/ungallery/source_vuln.php?"; http_uri; nocase; content:"pic="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/99004/RhinOS3.0r1113-lfi.txt; classtype:web-application-attack; sid:2013464; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/sublink.php?"; nocase; http_uri; content:"langval="; nocase; http_uri; pcre:"/langval=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/104292/easysiteedit-rfi.txt; classtype:web-application-attack; sid:2013465; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/guestbook/blocks/control.block.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/93285/diycms-rfi.txt; classtype:web-application-attack; sid:2013466; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/103680/joomlacommunity-sql.txt; classtype:web-application-attack; sid:2013467; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013468; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013469; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013470; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_community"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013471; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt"; flow:established,to_server; content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; http_header; fast_pattern:only; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013472; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; http_header; content:"bytes="; http_header; fast_pattern; nocase; distance:0; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; http_header; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP URL"; flow:to_server,established; content:".doc.exe"; http_uri; nocase; classtype:bad-unknown; sid:2013475; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP URL"; flow:to_server,established; content:".pdf.exe"; http_uri; nocase; classtype:bad-unknown; sid:2013476; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".doc.exe"; nocase; distance:0; http_header; classtype:bad-unknown; sid:2013477; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; fast_pattern; classtype:bad-unknown; sid:2013478; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:4;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|03|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013480; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jaifr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jaifr|03|com"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013481; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jaifr.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|03|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013482; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.co.cc"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|02|co|02|cc"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Bing checking Internet connectivity"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| "; depth:60; content:"|0d 0a|Host|3a| www.bing.com"; distance:0; content:!"|0d 0a|Referer|3a| "; nocase; content:"|3a| no-cache"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013488; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; reference:url,www.kahusecurity.com/2011/best-pack/; classtype:bad-unknown; sid:2013489; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN McAfee/Foundstone Scanner Web Scan"; flow:established,to_server; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| Windows NT 6.1|3B| en-US)|0D 0A|"; http_header; fast_pattern:20,20; content:"|0D 0A|Accept-Encoding|3A| text|0D 0A|"; http_header; threshold: type both, count 2, seconds 120, track by_src; reference:url,www.mcafee.com/us/products/vulnerability-manager.aspx; classtype:attempted-recon; sid:2013492; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.co.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|02|co|02|be"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.co.cc"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|02|co|02|cc"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|04|info"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013495; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.co.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|02|co|02|be"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; content:"/WiPlayer?movieid="; http_uri; content:"Host|3a| movies.netflix.com|0d 0a|"; http_header; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Wizpop Checkin"; flow:established,to_server; content:"/count.asp?exe="; http_uri; content:"&act="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:trojan-activity; sid:2013502; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; content:"User-Agent|3A| Software Update|2F|"; http_header; content:" Darwin|2F|"; http_header; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP|2F|"; http_header; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; content:"|20|yum|2F|"; http_header; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:1;) alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET TROJAN W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dynamer Trojan Dropper User-Agent VB Http"; flow:established,to_server; content:"User-Agent|3A 20|VB Http"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDynamer!dtc; classtype:trojan-activity; sid:2013507; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent HTTPGET"; flow:established,to_server; content:"User-Agent|3A 20|HTTPGET"; http_header; content:!"autodesk.com|0d 0a|"; http_header; content:!"rsa.com"; http_header; content:!"consumersentinel.gov"; http_header; content:!"technet.microsoft.com"; http_header; content:!"metropolis.com"; http_header; classtype:trojan-activity; sid:2013508; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lalus Trojan Downloader Checkin"; flow:established,to_server; content:".php?guid="; http_uri; content:"&h="; http_uri; content:"&v="; http_uri; content:"&affid="; http_uri; content:"&update="; http_uri; content:"&brand="; http_uri; classtype:trojan-activity; sid:2013509; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lalus Trojan Downloader User Agent (Message Center)"; flow:established,to_server; content:"User-Agent|3A 20|Message Center|0D 0A|"; http_header; classtype:trojan-activity; sid:2013510; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/CazinoSilver Checkin"; flow:established,to_server; content:".php?key="; http_uri; content:"User-Agent|3A 20|DMFR|0D 0A|"; http_header; fast_pattern:12,6; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2013511; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MadeByLc)"; flow:established,to_server; content:"User-Agent|3A 20|MadeBy"; http_header; classtype:trojan-activity; sid:2013512; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bancos Reporting"; flow:established,to_server; content:".php?codigo="; http_uri; content:"&g_id="; http_uri; content:"&g_windows="; http_uri; content:"&func_versao_ie="; http_uri; content:"&firefox="; http_uri; content:"&primeira_versao_update="; http_uri; content:"&ultimo_acesso="; http_uri; classtype:trojan-activity; sid:2013513; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TR/Spy.Gen checkin via dns ANY query"; content:"|01 00 00 01 00 00 00 00 00 00 32|"; depth:11; offset:2; content:"|00 00 FF 00 01|"; pcre:"/\x32[0-9a-f]{50}/"; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,www.threatexpert.com/report.aspx?md5=2519bdb5459bc9f59f59cd7ccb147d23; classtype:trojan-activity; sid:2013516; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Loader Request List.php"; flow:established,to_server; content:"/list.php?c="; http_uri; depth:12; content:"&v="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013518; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 1"; flow:established,to_server; content:"|40 40 40 40 48 4B 4B 4B 4B 49 49 49 49 47 47 47 47|"; offset:5; depth:17; classtype:trojan-activity; sid:2013522; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 2"; flow:established,to_server; content:"|0B 0B 0B 0B 03 00 00 00 00 02 02 02 02 0C 0C 0C 0C|"; offset:5; depth:17; classtype:trojan-activity; sid:2013523; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 3"; flow:established,to_server; content:"|AC AC AC AC A4 A7 A7 A7 A7 A5 A5 A5 A5 AB AB AB AB|"; offset:5; depth:17; classtype:trojan-activity; sid:2013524; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 5"; flow:established,to_server; content:"|7A 7A 7A 7A 72 71 71 71 71 73 73 73 73 7D 7D 7D 7D|"; offset:5; depth:17; classtype:trojan-activity; sid:2013526; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 6"; flow:established,to_server; content:"|B5 B5 B5 B5 BD BE BE BE BE BC BC BC BC B2 B2 B2 B2|"; offset:5; depth:17; classtype:trojan-activity; sid:2013527; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 7"; flow:established,to_server; content:"|6F 6F 6F 6F 67 64 64 64 64 66 66 66 66 68 68 68 68|"; offset:5; depth:17; classtype:trojan-activity; sid:2013528; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 8"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013529; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 9"; flow:established,to_server; content:"|0F 0F 0F 0F 07 04 04 04 04 06 06 06 06 08 08 08 08|"; offset:5; depth:17; classtype:trojan-activity; sid:2013530; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Command Request"; flow:to_server,established; content:"#BOT#"; depth:5; pcre:"/^\x23BOT\x23(VisitUrl|OpenUrl|Ping|RunPrompt|CloseServer|SvrUninstall|URLUpate|URLDownload)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013532; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command|Error|Finish|Http\x20Flood|Mass\x20Download|Respond\x20\x5bOK|Syn\x20Flood|UDP\x20Flood|uninstall|Update|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; content:"/iLog.php?dl="; fast_pattern:only; http_uri; content:"&log="; http_uri; content:"User-Agent|3a| IE"; http_header; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:trojan-activity; sid:2013534; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.tc domain"; flow:to_server,established; content:".tc|0d 0a|"; fast_pattern:only; http_header; pcre:"/^Host\x3a[^\r\n]+\.tc\r?$/Hmi"; classtype:bad-unknown; sid:2013535; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses"; flow:established,to_server; content:"/distrib_serv/ip_list_"; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013536; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server"; flow:established,to_server; content:"/search=ip_list_"; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013537; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server"; flow:established,to_server; content:"/search="; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013538; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; content:"knock.php?ver="; http_uri; content:"&sid="; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013539; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 6.0)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013540; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution"; http_header; reference:url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013543; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host|3A 20|google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013544; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; content:"?op="; http_uri; content:"&macaddress="; http_uri; content:"&pcname="; http_uri; content:"&nomeusuario="; http_uri; content:"&serialhd="; http_uri; content:"&versaowindows="; http_uri; content:"&versaoatual="; http_uri; content:"&arquivosplugins="; http_uri; content:"&origem="; http_uri; classtype:trojan-activity; sid:2013546; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET TROJAN Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:trojan-activity; sid:2013547; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fivfrom Downloader (Unitrix)"; flow:established,to_server; content:".php?seller="; http_uri; content:"&hash={"; http_uri; pcre:"/hash=\{[a-f0-9]+-/Ui"; classtype:trojan-activity; sid:2013555; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UBar Trojan/Adware Checkin 1"; flow:established,to_server; content:"?gname="; http_uri; content:"&pid="; http_uri; content:"&m="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; reference:url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9; classtype:trojan-activity; sid:2013556; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UBar Trojan/Adware Checkin 2"; flow:established,to_server; content:"inst.php?"; http_uri; content:"pcode="; http_uri; content:"&ucode="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; classtype:trojan-activity; sid:2013557; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UBar Trojan/Adware Checkin 3"; flow:established,to_server; content:"size.php?"; http_uri; content:"file="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; classtype:trojan-activity; sid:2013558; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delphi Trojan Downloader User-Agent (JEDI-VCL)"; flow:established,to_server; content:"User-Agent|3a| JEDI-VCL"; http_header; content:!"apexwin.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013559; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potentially Unwanted Program Storm3-607.exe Download Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/Storm3-607.exe"; nocase; http_uri; content:"User-Agent|3a| InnoTools_Downloader"; http_header; classtype:trojan-activity; sid:2013560; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (windsoft)"; flow:established,to_server; content:"User-Agent|3a| WindSoft|0d 0a|"; http_header; classtype:trojan-activity; sid:2013561; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openads row Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/libraries/lib-view-main.inc.php?"; nocase; http_uri; content:"row="; nocase; http_uri; pcre:"/basedir_save=\s*(ftps?|https?|php)\x3a\//Ui"; classtype:web-application-attack; sid:2013562; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_ext_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bug_actiongroup_ext_page.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; sid:2013563; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bug_actiongroup_page.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; sid:2013564; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"658ED6E7-0DA1-4ADD-B2FB-095F08091118"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*658ED6E7-0DA1-4ADD-B2FB-095F08091118/si"; classtype:web-application-attack; sid:2013565; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"; nocase; distance:0; classtype:attempted-user; sid:2013566; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pranian Group e107 page Parameter Cross Site Scripting Vulnerability Attempt"; flow:established,to_server; content:"/plugins/pviewgallery/pviewgallery.php?"; nocase; http_uri; content:"album="; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; sid:2013567; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OneFileCMS p parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/onefilecms.php?"; nocase; http_uri; content:"p="; nocase; http_uri; pcre:"/p\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; sid:2013568; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS University Of Vermont intro Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/magicscript.php?"; nocase; http_uri; content:"Page="; nocase; http_uri; content:"intro="; nocase; http_uri; pcre:"/intro=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; sid:2013569; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"SomeOrganizationalUnit"; classtype:policy-violation; sid:2013659; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (listdir)"; flow:to_server,established; content:"/listdir.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013668; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (mkdir)"; flow:to_server,established; content:"/mkdir.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013669; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (fsize)"; flow:to_server,established; content:"/fsize.php?name="; http_uri; content:"/WF-update.log"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013670; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (touch)"; flow:to_server,established; content:"/touch.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013671; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Riberow.A (postit3)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/postit3.php"; http_uri; content:"Content-Type|3A| multipart/form-data|3B| boundary="; http_header; reference:url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013672; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013673; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013674; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013675; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013676; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tune-library/tune-library-ajax.php?"; nocase; http_uri; content:"letter="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,49553; classtype:web-application-attack; sid:2013677; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jr_questionnaire"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt; classtype:web-application-attack; sid:2013678; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"type="; http_uri; content:"lien_2="; fast_pattern:only; nocase; http_uri; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ezrealty"; nocase; http_uri; content:"task="; nocase; http_uri; content:"id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt; classtype:web-application-attack; sid:2013680; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS American Bankers Association Cross Site Scripting Attempt"; flow:established,to_server; content:"/Search2/searchaba.aspx?"; nocase; http_uri; content:"SearchPhrase="; nocase; http_uri; pcre:"/SearchPhrase\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/103855/aba-xss.txt; classtype:web-application-attack; sid:2013681; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simplis CMS download_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"action=do_download"; nocase; http_uri; content:"download_file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/99797/simpliscms-disclose.txt; classtype:web-application-attack; sid:2013682; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET TROJAN Win32.Parite Checkin SQL Database"; flow:established,to_server; content:"SHOW COLUMNS FROM webronaldogyn01"; reference:url,www.threatexpert.com/report.aspx?md5=19441bc629e6c1dcb54cb5febdf9a22d; classtype:trojan-activity; sid:2013683; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; content:".dtdns.net|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013684; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 1"; flow:established,to_server; content:".php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; pcre:"/\.php\?w=\d+&i=[0-9a-f]{32}&a=\d+$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:trojan-activity; sid:2013685; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:trojan-activity; sid:2013686; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shylock Module Data POST"; flow:established,to_server; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&query="; http_client_body; content:"&data="; http_client_body; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/P"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"User-Agent|3a| Apache-HttpClient/"; http_header; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; nocase; content:".php?gd="; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:trojan-activity; sid:2013701; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Downloader User-Agent (NOPE)"; flow:established,to_server; content:"User-Agent|3a| N0PE"; http_header; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369; reference:url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734; classtype:trojan-activity; sid:2013702; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Suspicious Self Signed SSL Certificate to 'My Company Ltd'"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"My Company Ltd"; classtype:bad-unknown; sid:2013703; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013704; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013705; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013706; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013707; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_n-myndir"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013708; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt; classtype:web-application-attack; sid:2013709; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"User-Agent|3a| AHTTPConnection"; nocase; http_header; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upload/tfu_upload.php?"; nocase; http_uri; content:"workaround_dir="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013711; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery install_path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/tfu_login.php?"; nocase; http_uri; content:"install_path="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013712; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joostina CMS users component Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_users"; nocase; http_uri; content:"user="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/100853/joostinausers-sql.txt; classtype:web-application-attack; sid:2013713; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; content:"User-Agent|3A 20|BingBar|20|"; http_header; classtype:policy-violation; sid:2013715; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan Downloader User-Agent BGroom"; flow:established,to_server; content:"User-Agent|3A 20|BGroom"; http_header; classtype:trojan-activity; sid:2013717; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan Downloader User-Agent (Tiny)"; flow:established,to_server; content:"User-Agent|3A 20|tiny|0D 0A|"; http_header; classtype:trojan-activity; sid:2013718; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; content:"User-Agent|3A 20|GridinSoft"; http_header; classtype:trojan-activity; sid:2013719; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6060 (msg:"ET TROJAN Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; content:"&fn="; within:8; content:"&Var="; within:30; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:trojan-activity; sid:2013720; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_header; pcre:"/User-Agent\x3A[^\r\n]*WindowsNT/H"; content:!".rview.com|0d 0a|"; http_header; content:!".mobizen.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013721; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013723; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; content:"User-Agent|3A 20|LockXLS"; http_header; classtype:trojan-activity; sid:2013724; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET TROJAN Win32/OnLineGames GetMyIP Style Checkin"; flow:established,to_server; content:".asp?ID="; content:"&Action=GetMyIP"; within:40; classtype:trojan-activity; sid:2013728; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013729; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (SaveObject)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".SaveObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013732; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (LoadObject)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".LoadObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013733; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (GetExtendedColor)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".GetExtendedColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013734; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Vulnerability"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BD9E5104-2F20-4A9F-AB14-82D558FF374E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD9E5104-2F20-4A9F-AB14-82D558FF374E/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013735; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA)"; flow:to_server,established; content:"User-Agent|3a| GenericHttp/VER_STR_COMMA"; http_header; classtype:trojan-activity; sid:2013737; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_rokquickcart"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/96804/joomlarokquickcart-lfi.txt; classtype:web-application-attack; sid:2013738; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P CnC"; dsize:72; content:!"|AA AA AA AA AA AA AA|"; depth:63; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Aeausuc P2P Variant Retrieving Peers List"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gameover"; http_uri; pcre:"/gameover(\d+)?\.php/U"; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|X-ID|3a|"; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013740; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin"; flow:to_server,established; content:"GET /Count.asp?UserID="; depth:22; content:"&MAC="; distance:0; content:"&Process="; distance:0; reference:url,www.threatexpert.com/report.aspx?md5=7d2eb4b364e15e90cec1ddd7dcb97f64; reference:url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; reference:url,threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20; classtype:trojan-activity; sid:2013741; rev:4;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com|0d 0a|"; http_header; nocase; content:!"www.no-ip.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2013745; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot)"; flow:to_server,established; content:"User-Agent|3a| Aldi Bot"; nocase; http_header; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013747; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; content:"/gate.php?hwid="; nocase; http_uri; content:"&pc="; nocase; http_uri; content:"&localip="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013748; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY VMware User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3A 20|vmware"; http_header; reference:url,www.vmware.com; classtype:policy-violation; sid:2013749; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; distance:0; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible German Governmental Backdoor/R2D2.A 1"; flow:from_client,established; content:"|11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|"; fast_pattern; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013751; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible German Governmental Backdoor/R2D2.A 2"; flow:from_client,established; content:"C3PO-r2d2-POE"; depth:13; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013752; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; content:"/ibrowser/scripts/random.php?"; nocase; http_uri; content:"dir="; nocase; pcre:"/dir\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013757; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Zingiri webshop plugin Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php?"; nocase; http_uri; content:"wpabspath="; nocase; http_uri; pcre:"/wpabspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt; classtype:web-application-attack; sid:2013758; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013759; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013760; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013761; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013762; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ahsshop"; nocase; http_uri; content:"flokkur="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013763; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Redirect Component view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_redirect"; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/view/96608/joomlaredirect-lfi.txt; classtype:web-application-attack; sid:2013764; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2"; flow:established,to_server; uricontent:"/phpThumb.demo.random.php?"; nocase; uricontent:"dir="; nocase; pcre:"/dir\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013765; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Swisyn Reporting"; flow:to_server,established; content:"/Qvodav.exe"; nocase; http_uri; content:"User-Agent|3a| Av_DVD"; nocase; http_header; reference:url,precisesecurity.com/worms/trojan-win32-swisyn-algm; classtype:trojan-activity; sid:2013766; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:trojan-activity; sid:2013767; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d; classtype:trojan-activity; sid:2013768; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Prosti Checkin"; flow:from_client,established; content:"&first& # 0d 0h "; depth:16; reference:url,www.threatexpert.com/report.aspx?md5=5113c6dbd644874482f3a26650970600; classtype:trojan-activity; sid:2013769; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; http_header; content:".exe"; within:32; http_header; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Cerberus RAT Checkin Outbound"; flow:established,to_server; content:"Ypmw1Syv023QZD"; depth:30; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013771; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Cerberus RAT Checkin Response"; flow:established,to_client; content:"Ypmw1Syv023QZD"; depth:30; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013772; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Cerberus RAT Client pong"; flow:from_client,established; content:"wZ2pla"; depth:6; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013773; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Cerberus RAT Server ping"; flow:from_server,established; content:"wBmpf3Pb7RJe|0d0a|"; depth:14; dsize:14; reference:url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013774; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX|0d 0a|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\n]+PTX\r$/Hm"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Request for gift.exe"; flow:established,to_server; content:"/gift.exe"; http_uri; classtype:trojan-activity; sid:2013780; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=07ed70b6e7775a510d725c9f032c70d8; classtype:trojan-activity; sid:2013781; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; content:"User-Agent|3A| ZDM/4.0|3B| Windows Mobile 7.0|3B|"; http_header; classtype:not-suspicious; sid:2013784; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zentom FakeAV Checkin"; flow:established,to_server; content:".php?prodclass="; fast_pattern; http_uri; content:"&coid="; http_uri; content:"&fff="; http_uri; content:"&IP="; http_uri; content:"&lct="; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:trojan-activity; sid:2013785; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cnzz.cn Related Dropper Checkin"; flow:established,to_server; content:"?Hook1=1,Setup="; http_uri; classtype:trojan-activity; sid:2013790; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; content:"GET @"; depth:5; content:"@"; http_uri; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; content:"GET|20 3a|@"; depth:6; content:"|3a|@"; http_uri; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dropper.Win32.Npkon Client Checkin"; flow:established,to_server; content:"|40 1f|"; offset:1; depth:2; content:"|03|"; distance:1; within:1; content:"|20 00 00 00|"; distance:1; within:4; dsize:10; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013793; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent|3a| chrome/9.0"; http_header; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/Ui"; classtype:trojan-activity; sid:2013795; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; content:"/LogProc.php?"; fast_pattern:only; http_uri; content:"mac="; http_uri; content:"mode="; http_uri; content:"&pCode="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/boot.php?ptr="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; classtype:trojan-activity; sid:2013798; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Trojan.SuspectCRC FakeAV Checkin"; flow:established,to_server; content:"value.php?"; http_uri; content:"md="; http_uri; content:"&pc="; http_uri; content:"User-Agent|3a| sample"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=54c9d51661a05151e5143f4e80cbed86; classtype:trojan-activity; sid:2013799; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cycbot POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx; classtype:trojan-activity; sid:2013802; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jorik FakeAV GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/britix/a"; http_uri; content:"User-Agent|3a| Internet Explorer"; http_header; classtype:trojan-activity; sid:2013807; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dooptroop Dropper Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/nconfirm.php?"; http_uri; fast_pattern; content:"rev="; distance:0; http_uri; content:"code="; http_uri; content:"param="; http_uri; content:"num="; http_uri; content:!"Referer|3a|"; http_header; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2013808; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013809; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013810; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013811; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013812; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013813; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013814; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/includes/layout/plain.footer.php?"; nocase; http_uri; content:"mainnav="; nocase; http_uri; pcre:"/mainnav=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt; classtype:web-application-attack; sid:2013815; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_yjcontactus"; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt; classtype:web-application-attack; sid:2013816; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/wpeasystats/export.php?"; nocase; http_uri; content:"homep="; nocase; http_uri; pcre:"/homep=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/46069; reference:url,spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos; classtype:web-application-attack; sid:2013817; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/cart.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"templatefile="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; classtype:web-application-attack; sid:2013818; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:!"User-Agent|3a|"; http_header; content:"|CE FA AD DE 03 00|"; http_client_body; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:trojan-activity; sid:2013819; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013821; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|myftp|03|biz"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013823; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; content:".myftp.biz|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013824; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN SecurityDefender exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; http_header; content:"SecurityDefender"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013826; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013827; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.eu.tf domain"; flow: to_server,established; content:".eu.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013828; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.int.tf domain"; flow:to_server,established; content:".int.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013829; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.edu.tf domain"; flow:to_server,established; content:".edu.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013830; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.us.tf domain"; flow:to_server,established; content:".us.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013831; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; content:".ca.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013832; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.bg.tf domain"; flow:to_server,established; content:".bg.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013833; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.ru.tf domain"; flow:to_server,established; content:".ru.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013834; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.pl.tf domain"; flow:to_server,established; content:".pl.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013835; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.de.tf domain"; flow:to_server,established; content:".de.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013837; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.at.tf domain"; flow:to_server,established; content:".at.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013838; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.ch.tf domain"; flow:to_server,established; content:".ch.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013839; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.sg.tf domain"; flow:to_server,established; content:".sg.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013840; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.nl.ai domain"; flow:to_server,established; content:".nl.ai|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013841; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.xe.cx domain"; flow:to_server,established; content:".xe.cx|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013842; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query to a Suspicious *.orge.pl Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|orge|02|pl"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013843; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; content:".orge.pl|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013844; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ez-dns|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; content:".ez-dns.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2013846; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .eu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|eu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013848; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .int.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|int|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013849; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .edu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|edu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013850; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .us.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013851; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ca.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ca|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013852; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .bg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|bg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013853; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ru.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013854; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .pl.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013855; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .cz.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013856; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .de.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|de|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013857; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .at.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|at|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013858; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ch.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013859; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .sg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|sg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013860; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .nl.ai Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013861; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dyndns-web|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013863; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; content:".dyndns-web.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2013864; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?tq="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/U"; classtype:trojan-activity; sid:2013865; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; http_header; content:"bomgar-scc-"; http_header; nocase; distance:0; fast_pattern; content:".exe"; http_header; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_content"; http_uri; content:"sflDir="; nocase; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,exploit-db.com/exploits/17736; classtype:web-application-attack; sid:2013870; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBSng str Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/util/show_multistr.php?"; nocase; http_uri; content:"str="; nocase; http_uri; pcre:"/str\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,50468; classtype:web-application-attack; sid:2013871; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mole Group Vacation Estate Listing Script Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/properties_view.php?"; nocase; http_uri; content:"editid1="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/7626; classtype:web-application-attack; sid:2013872; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013873; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013874; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013875; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013876; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_techfolio"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013877; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".SaveCfg"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013878; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (AddTrend)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".AddTrend"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013879; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (FULLSTUFF)"; flow: established,to_server; content:"User-Agent|3A| FULLSTUFF"; nocase; http_header; reference:url,threatexpert.com/reports.aspx?find=mrb.mail.ru; classtype:trojan-activity; sid:2013880; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (NateFinder)"; flow:to_server,established; content:"User-Agent|3a| NateFinder"; http_header; classtype:trojan-activity; sid:2013881; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; content:"User-Agent|3a| Install Stub"; http_header; content:"stats.norton.com|0d 0a|"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (webfile)"; flow:to_server,established; content:"User-Agent|3a| webfile"; http_header; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; classtype:trojan-activity; sid:2013883; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (DARecover)"; flow:to_server,established; content:"User-Agent|3a| DARecover"; http_header; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; classtype:trojan-activity; sid:2013884; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS filename Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/forcedownload/force_download.php?"; nocase; http_uri; content:"filename="; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,exploit-db.com/exploits/18000; classtype:web-application-attack; sid:2013885; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fullstuff Initial Checkin"; flow:established,to_server; content:"/version.txt?type="; http_uri; content:"&GUID="; http_uri; content:"&rfr="; http_uri; content:"&bgn="; http_uri; content:"User-Agent|3a| FULLSTUFF"; http_header; classtype:trojan-activity; sid:2013887; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/v"; http_uri; content:"/?v="; http_uri; content:"&c="; http_uri; pcre:"/\/v\d\.\d\.\d/U"; pcre:"/\/\?v=\d/U"; classtype:trojan-activity; sid:2013888; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (MediaLabsSiteInstaller)"; flow:established,to_server; content:"User-Agent|3A 20|MediaLabsSiteInstaller"; http_header; classtype:trojan-activity; sid:2013889; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Koobface Variant Initial Checkin"; flow:established,to_server; content:".php?datos=c|3A|"; http_uri; content:"&user="; http_uri; classtype:trojan-activity; sid:2013890; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Svlk Client Checkin"; flow:from_client,established; dsize:12; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; depth:12; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013891; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Svlk Server Reply"; flow:from_server,established; dsize:44; content:"|33 39 0d ff 0a c4 e5 9f d5 ec 58 4a 69|"; depth:13; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013892; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Svlk Client Ping"; flow:from_client,established; dsize:7; content:"|33 0D FF 0A C5 F8 C1|"; depth:7; reference:url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013893; rev:2;) alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET TROJAN W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; content:"&action="; within:10; content:"&mac="; within:10; content:"&lockcode="; within:30; content:"&homepc="; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; distance:0; classtype:trojan-activity; sid:2013900; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rimecud User Agent beat"; flow:established,to_server; content:"User-Agent|3A 20|beat|0D 0A|"; http_header; classtype:trojan-activity; sid:2013904; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; content:"/stat"; http_uri; content:".php?w="; http_uri; content:"&i=00000000000"; http_uri; fast_pattern; content:"&a="; http_uri; content:"User-Agent|3a 20|Opera/6 (Windows NT 5.1|3b 20|"; http_header; classtype:trojan-activity; sid:2013907; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Second Life setup download"; flow:established,to_server; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:trojan-activity; sid:2013911; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN P2P Zeus Response From CnC"; flow:established,from_server; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74|"; distance:5; within:2; content:"|C1|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013912; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; content:"GET"; nocase; http_method; uricontent:"/update/utu.dat"; reference:url,www.threatexpert.com/report.aspx?md5=6fd8cdee653c0fde769e6c48d65e28bd; classtype:trojan-activity; sid:2013913; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; content:"User-Agent|3A| Ubuntu APT-HTTP|2F|"; http_header; content:"|0d 0a|Host|3a| "; http_header; content:"repository.backtrack-linux.org"; http_header; within:40; reference:url,www.backtrack-linux.org; classtype:policy-violation; sid:2013914; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dofoil.L Checkin"; flow:to_server,established; content:"/index.php?cmd="; http_uri; content:"&login="; http_uri; content:"&ver="; http_uri; content:"&bits="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:trojan-activity; sid:2013917; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY external cPanel login"; flow:to_server,established; content:"/password.cgi?sptPassword="; http_uri; classtype:not-suspicious; sid:2013919; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY external cPanel password change"; flow:to_server,established; content:"pwdOld="; http_client_body; content:"pwNew="; http_client_body; content:"pwCfm="; http_client_body; classtype:not-suspicious; sid:2013920; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; content:"pwCfm=Dn5Ch4ng3"; http_client_body; classtype:web-application-attack; sid:2013921; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Emp Keepalive to CnC"; flow:established,to_server; content:"|7a 05 61 17 27 f5 09 f9 05 a2 ff 71 e0 49 96 47|"; offset:16; depth:16; dsize:48; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210; classtype:trojan-activity; sid:2013922; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu2 Keepalive to CnC"; flow:established,to_server; content:"|1c e9 a1 06 39 95 48 0d 64 1f 39 23 21 7f dc 43|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2013923; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu3 Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2013924; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2013925; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; content:"POST "; depth:5; content:!".etrade.com|3a|443|0d 0a|"; classtype:bad-unknown; sid:2013926; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; content:"HEAD "; depth:5; classtype:bad-unknown; sid:2013927; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; content:"PROPFIND "; depth:9; classtype:bad-unknown; sid:2013928; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; content:"OPTIONS "; depth:8; classtype:bad-unknown; sid:2013929; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; content:"PUT "; depth:4; classtype:bad-unknown; sid:2013930; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; content:"DELETE "; depth:7; classtype:bad-unknown; sid:2013931; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; content:"TRACE "; depth:6; classtype:bad-unknown; sid:2013932; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; content:"CONNECT "; depth:8; classtype:bad-unknown; sid:2013933; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; content:"CRYPTED0"; depth:8; nocase; http_client_body; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2013934; rev:5;) alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:trojan-activity; sid:2013935; rev:6;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; content:"QHN5c3Rl"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used)"; flow:to_server,established; content:"cGFzc3Ro"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; content:"aGVsbF9l"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; content:"JHAgPSBhcnJheShhcnJh"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; content:"JGggPSBwb3Bl"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; content:"QHB5dGhvbl9l"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; content:"JGFyZ3MgPSBh"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; content:"JHBlcmwgPSBuZXcg"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; content:"ZXhlYygn"; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/logo/go.php?id="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; pcre:"/\/logo\/go\.php\?id=\d{1,3}$/U"; reference:url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787; classtype:trojan-activity; sid:2013946; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/b.php?id="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; pcre:"/\/images\/b\.php\?id=\d{1,3}$/U"; classtype:trojan-activity; sid:2013947; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013948; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.TIBIA Checkin or Data Post 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV2|0d 0a|"; http_header; classtype:trojan-activity; sid:2013949; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (counters)"; flow:to_server,established; content:"User-Agent|3a| counters|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=60ce66bd10fcac3c97151612c8a4d343; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013953; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (giftz)"; flow:to_server,established; content:"User-Agent|3a| giftz|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f726e84bae5a8d1f166bbf6d09d821b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013954; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET TROJAN W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; classtype:trojan-activity; sid:2013956; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality User-Agent (DEBUT.TMP)"; flow:established,to_server; content:"User-Agent|3A 20|DEBUT.TMP|0D 0A|"; http_header; classtype:trojan-activity; sid:2013959; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sality User-Agent (Internet Explorer 5.01)"; flow:established,to_server; content:"User-Agent|3A 20|Internet Explorer 5.01|0D 0A|"; http_header; classtype:trojan-activity; sid:2013963; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious UA Mozilla / 4.0"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; http_header; content:!"captive.apple.com|0d 0a|"; http_header; content:!".google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a .noip.cn domain"; flow:to_server,established; content:".noip.cn|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013969; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dyndns-at-home|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013971; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; content:"Accept|3a 20|?"; http_header; classtype:trojan-activity; sid:2013974; rev:2;) alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET TROJAN TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tinderbox.mozilla.org showbuilds.cgi Cross Site Scripting Attempt"; flow:established,to_server; content:"/showbuilds.cgi?"; nocase; http_uri; content:"tree=SeaMonkey"; nocase; http_uri; content:"hours="; nocase; http_uri; pcre:"/hours\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstorm.codar.com.br/1111-exploits/tinderbox-xss.txt; classtype:web-application-attack; sid:2013980; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orbis editor-body.php script Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/editors/text/editor-body.php?"; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,autosectools.com/Advisory/Orbis-1.0.2-Reflected-Cross-site-Scripting-4; classtype:web-application-attack; sid:2013981; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web File Browser file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/webFileBrowser.php?"; nocase; http_uri; content:"act=download"; nocase; http_uri; content:"sortby=name"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,exploit-db.com/exploits/18070/; classtype:web-application-attack; sid:2013982; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Win32/EoRezo Reporting"; flow:established,to_server; content:"/advert/get"; nocase; http_uri; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/Ui"; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:trojan-activity; sid:2013983; rev:5;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"SELECT"; nocase; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013985; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013986; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013987; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013988; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component img Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_img"; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95683/joomlaimg-lfi.txt; classtype:web-application-attack; sid:2013989; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013995; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Jorik DDOS Instructions From CnC Server"; flow:established,to_client; file_data; content:"|7C|ddos|7C|"; distance:2; within:6; pcre:"/\x7Cddos\x7C(syn|http)\x7C/"; classtype:trojan-activity; sid:2013998; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:trojan-activity; sid:2013999; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; content:"User-Agent|3A 20|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; fast_pattern:23,19; http_header; classtype:trojan-activity; sid:2014001; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 29|"; fast_pattern:20,17; http_header; content:!"BlueCoat"; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2014002; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=090986b0e303779bde1ddad3c65a9d78; classtype:trojan-activity; sid:2014003; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?"; http_uri; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; content:"allow_get.asp?name="; fast_pattern; http_uri; content:"&hostname="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014006; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Put"; flow:established,from_client; content:"/kys_allow_put.asp?type="; http_uri; content:"&hostname="; http_uri; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/kys_allow_get.asp?"; http_uri; content:"name=getkys.kys"; http_uri; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getgrab Command"; flow:established,to_server; content:"cmd=getgrab"; http_uri; classtype:trojan-activity; sid:2014009; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getproxy Command"; flow:established,to_server; content:"cmd=getproxy&login="; http_uri; classtype:trojan-activity; sid:2014010; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getsock Command"; flow:established,to_server; content:"cmd=getsocks&login="; http_uri; classtype:trojan-activity; sid:2014011; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getload Command"; flow:established,to_server; content:"cmd=getload&login="; http_uri; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern:23,6; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:trojan-activity; sid:2014014; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; content:"HEAD"; http_method; content:"/jmx-console/HtmlAdaptor?"; http_uri; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; content:"HEAD"; http_method; content:"/jmx-console/HtmlAdaptor?"; http_uri; nocase; content:"Runtime.getRuntime().exec("; http_uri; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Checkin User-Agent 2"; flow:established,to_server; content:"Gootkit ldr"; http_header; classtype:trojan-activity; sid:2014021; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; content:"Gootkit auto-rooter scanner"; http_header; classtype:web-application-attack; sid:2014022; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Scanner User-Agent Outbound"; flow:established,to_server; content:"Gootkit auto-rooter scanner"; http_header; classtype:web-application-attack; sid:2014023; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2014029; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; content:"User-Agent|3a| REBATEINF"; http_header; fast_pattern:only; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; content:".osa.pl|0D 0A|"; http_header; classtype:bad-unknown; sid:2014037; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.PowerPointer checkin"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a 0d 0a|<packet>"; content:"</packet>"; distance:0; classtype:trojan-activity; sid:2014040; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Checkin version 1.3.25 or later 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=6Prm67"; depth:11; http_client_body; classtype:trojan-activity; sid:2014044; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2014047; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014055; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014056; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014057; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LavaGame_"; http_uri; nocase; content:".exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tool.InstallToolbar.24 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:trojan-activity; sid:2014060; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014061; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014062; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014063; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014064; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"option=com_dshop"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"task="; nocase; http_uri; content:"idofitem="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:bugtraq,51116; classtype:web-application-attack; sid:2014065; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability "; flow:established,to_server; content:"/details_view.php?"; nocase; http_uri; content:"event_id="; nocase; http_uri; content:"date="; nocase; http_uri; content:"view="; nocase; http_uri; content:"loc="; nocase; http_uri; content:"page_info_message="; nocase; http_uri; pcre:"/page_info_message\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; http_uri; content:"cmd="; nocase; http_uri; pcre:"/cmd=\w/Ui"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:trojan-activity; sid:2014069; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Downloader.Bancos Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Lead3r_Ship.exe"; nocase; http_uri; reference:url,symantec.com/security_response/writeup.jsp?docid=2006-061110-0512-99; classtype:trojan-activity; sid:2014070; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Gen5 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cmd/report.php?"; nocase; http_uri; content:"PartnerId="; nocase; http_uri; content:"OfferId="; nocase; http_uri; content:"action="; nocase; http_uri; content:"program="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=90410d783f6321c8684ccb9ff0613a51; classtype:trojan-activity; sid:2014071; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pet Listing Script type_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/preview.php?"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"action=search"; nocase; http_uri; content:"type_id="; nocase; http_uri; content:"bedrooms_from="; nocase; http_uri; pcre:"/bedrooms_from\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstorm.foofus.com/1112-exploits/petlisting-xss.txt; classtype:web-application-attack; sid:2014072; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress The-Welcomizer plugin page parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/the-welcomizer/twiz-index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,dl.packetstormsecurity.net/1112-exploits/wpthewelcomizer-xss.txt; classtype:web-application-attack; sid:2014073; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014074; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014075; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014076; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014077; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/jbshop/jbshop.php?"; nocase; http_uri; content:"item_details="; nocase; http_uri; content:"item_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014078; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"xajax=SelTheme"; nocase; http_uri; content:"ajaxargs[]="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/404.php?"; nocase; http_uri; content:"type=stats"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"subid="; nocase; http_uri; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN Win32-WebSec Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cb_soft.php?"; nocase; http_uri; content:"q="; nocase; http_uri; content:"tj="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=971e560b80e335ab88ef518b416d415a; classtype:trojan-activity; sid:2014085; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt"; flow:established,to_server; content:"/RESTART.HTM?"; nocase; http_uri; content:"NDSContext="; nocase; http_uri; pcre:"/NDSContext\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,exploit-db.com/exploits/17114; classtype:web-application-attack; sid:2014086; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014087; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014088; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious user agent (V32)"; flow:to_server,established; content:"User-Agent|3a| V"; http_header; pcre:"/^User-Agent\x3a V\d{2}\r$/Hm"; classtype:trojan-activity; sid:2014090; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dyndns Client IP Check"; flow:established,to_server; content:"User-Agent|3a| DynDNS-Client"; http_header; content:" checkip.dyndns."; http_header; classtype:not-suspicious; sid:2014091; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Dyndns Client User-Agent"; flow:established,to_server; content:"User-Agent|3a| DynDNS-Client"; http_header; classtype:not-suspicious; sid:2014092; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Nurech Checkin UA"; flow:from_client,established; content:"User-Agent|3a| ipwf|0d 0a|"; http_header; classtype:trojan-activity; sid:2014093; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"|3b| Silk/"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a [^\n]+ Silk\/\d+\.\d/Hi"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; distance:0; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:to_server,established; content:"/CreatingUserAccounts.aspx"; http_uri; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Blackshades Payload Download Command"; flow:established,to_client; content:"x74|0C|64|0C|"; depth:7; content:"x49|0C|"; distance:64; classtype:trojan-activity; sid:2014101; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; content:"Referer|3a 20|"; http_header; content:"/slowhttptest/"; http_header; fast_pattern:only; pcre:"/Referer\x3a\x20[^\r\n]*\/slowhttptest\//Hi"; threshold: type both, track by_src, count 15, seconds 30; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; fast_pattern:only; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2014105; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:trojan-activity; sid:2014107; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2014108; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Win32.UFRStealer.A issuing MKD command FTP"; flow:to_server,established; content:"MKD UFR_Stealer|0d 0a|"; nocase; depth:17; reference:url,www.threatexpert.com/report.aspx?md5=a251ef38f048d695eae52626e57d617d; classtype:trojan-activity; sid:2014111; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dooptroop CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?num="; http_uri; fast_pattern; content:"&rev="; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/U"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014112; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32-Dynamer.dtc Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/total_visitas.php"; http_uri; content:".php HTTP/1.1|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent|3a| build"; http_header; pcre:"/User-Agent\x3a build\d/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ins_proc.asp?kind="; http_uri; fast_pattern; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:trojan-activity; sid:2014117; rev:3;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET TROJAN Cythosia V2 DDoS WebPanel Hosted Locally"; flow:established,from_server; content:"|3C|title|3E|Cythosia|20|V2|20|Bot|20|Webpanel|20 2D 20|Login|3C 2F|title|3E|"; nocase; reference:url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/; classtype:successful-admin; sid:2014118; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lici Initial Checkin"; flow:established,to_server; content:".php?email="; http_uri; content:"&lici="; http_uri; content:"&ver="; http_uri; content:"HTTP/1.0"; content:!"User-Agent|3A|"; http_header; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:trojan-activity; sid:2014119; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"User-Agent|3A 20|EoAgence-"; http_header; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:trojan-activity; sid:2014120; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nuclear Checkin"; flow:established,to_server; content:".htm"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)"; http_header; content:"HOST|3A 20|"; http_header; reference:md5,bd4af162f583899eeb6ce574863b4db6; classtype:trojan-activity; sid:2014121; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenCandy Adware Checkin"; flow:established,to_server; content:"clientv="; http_uri; content:"&cltzone="; http_uri; content:"&mstime="; http_uri; content:"&os="; http_uri; content:"&product_key="; http_uri; content:"opencandy.com"; fast_pattern; http_header; classtype:trojan-activity; sid:2014122; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Softango.com Installer Checking For Update"; flow:established,to_server; content:"/service/updater.php"; http_uri; content:".smartiengine.com|0D 0A|"; http_header; classtype:policy-violation; sid:2014123; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Softango.com Installer POSTing Data"; flow:established,to_server; content:"POST"; http_method; content:"/service/bootstrap.php"; http_uri; content:".smartiengine.com|0D 0A|"; http_header; classtype:policy-violation; sid:2014124; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; classtype:trojan-activity; sid:2014126; rev:1;) alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern:only; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:1;) alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern:only; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:1;) alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern:only; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:1;) alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Jiwerks.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.aspx"; http_uri; content:"Accept-Language|3A 20|zh-cn"; http_header; content:"a="; fast_pattern; http_client_body; depth:2; content:"&v="; http_client_body; distance:0; reference:md5,0e47c711d9edee337575b6dbef850514; classtype:trojan-activity; sid:2014133; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:trojan-activity; sid:2014135; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; distance:0; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:trojan-activity; sid:2014136; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Common Adware Library ISX User Agent Detected"; flow:established,to_server; content:"User-Agent|3A 20|ISX Download DLL"; fast_pattern:12,16; http_header; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:trojan-activity; sid:2014137; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query to Known CnC Domain msnsolution.nicaze.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"nicaze|03|net"; fast_pattern; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; content:"GET"; http_method; content:"?id="; http_uri; content:"&msg="; http_uri; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; within:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:trojan-activity; sid:2014145; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"|3A 3A 3A 3A 3A 28 20|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Landing Page Request"; flow:established,to_server; content:".php?s="; http_uri; pcre:"/\.php\?s=[0-9a-fA-F]{25}$/U"; flowbits:set,et.exploitkitlanding; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:bad-unknown; sid:2014147; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request"; flow:established,to_server; content:"/load.php?spl="; http_uri; pcre:"/\/load\.php\?spl=[-_\w]+$/U"; classtype:attempted-user; sid:2014148; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Known Malicious Link Leading to Exploit Kits (t.php?id=is1)"; flow:established,to_server; content:"/t.php?id=is1"; http_uri; classtype:bad-unknown; sid:2014151; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Checkin to CnC"; flow:to_server,established; content:"user_id="; depth:8; http_client_body; content:"&version_id="; http_client_body; content:"&socks="; fast_pattern; http_client_body; content:"&build="; http_client_body; classtype:trojan-activity; sid:2014152; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; fast_pattern:only; threshold: type both, track by_src, count 225, seconds 60; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; file_data; content:"bang()"; distance:0; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_header; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| chrome/9.0"; http_header; pcre:"/\x2E(?:p(?:hp|ng)|jpe?g|cgi|gif)\x3F(?:v\d{1,2}|pr)\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; content:"/gate.php?username="; http_uri; content:"&country="; http_uri; content:"&OS="; http_uri; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:trojan-activity; sid:2014164; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent MyAgrent"; flow:established,to_server; content:"User-Agent|3A 20|MyAgrent"; http_header; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; file_data; content:"[UPDATE]|0D 0A|VER ="; within:15; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:trojan-activity; sid:2014166; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; file_data; content:"[DBINFO]|0D 0A|Info ="; within:16; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:trojan-activity; sid:2014167; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; within:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:attempted-user; sid:2014168; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; fast_pattern; distance:0; nocase; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; content:".su|0d 0a|"; fast_pattern:only; http_header; pcre:"/Host\x3A\x20[^\r\n]*\x2Esu\x0D\x0A/H"; reference:url,www.abuse.ch/?p=3581; classtype:trojan-activity; sid:2014170; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cryptrun.B Connectivity check"; flow:from_client,established; content:"GET"; http_method; content:"/search?qu="; fast_pattern; http_uri; content:"User-Agent|3a| Firefox/2.0.0.2|0D 0A|"; http_header; content:"Host|3a| www.google.com|0D 0A|"; http_header; distance:0; content:"Content-Length|3a| 4|0D 0A|"; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; classtype:trojan-activity; sid:2014173; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; content:"/search"; http_uri; content:"?h1="; fast_pattern; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B|"; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.MSUpdater C&C traffic GET"; flow:from_client,established; content:".aspx?ID="; http_uri; content:"para1="; distance:0; http_uri; content:"para2="; distance:0; http_uri; content:"para3="; distance:0; http_uri; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014175; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla mod_currencyconverter from Cross Site Scripting Attempt"; flow:established,to_server; content:"/modules/mod_currencyconverter/includes/convert.php?"; nocase; http_uri; content:"from="; nocase; http_uri; pcre:"/from\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|marquee|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109337/Joomla-Currency-Converter-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014179; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/usr/extensions/get_infochannel.inc.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt; classtype:web-application-attack; sid:2014180; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:trojan-activity; sid:2014183; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014184; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014185; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014186; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014187; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; content:"User-Agent|3A 20|Open3"; http_header; classtype:trojan-activity; sid:2014190; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/count"; http_uri; content:"appTitle="; http_client_body; content:"&strLink="; distance:0; http_client_body; content:"&proFirstTime="; distance:0; http_client_body; content:"&proLastTime="; distance:0; http_client_body; content:"&appName="; distance:0; http_client_body; content:"&KillList="; distance:0; http_client_body; classtype:trojan-activity; sid:2014191; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/MediaGet Checkin"; flow:established,to_server; content:"<mediagetInstaller statVersion="; http_client_body; content:"mediagetIsAlreadyInstalled="; http_client_body; distance:0; classtype:trojan-activity; sid:2014192; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/VPEYE Trojan Downloader User-Agent (VP-EYE Downloader)"; flow:established,to_server; content:"User-Agent|3A 20|VP-EYE Downloader"; http_header; classtype:trojan-activity; sid:2014193; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; fast_pattern:only; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014197; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0D 0A|Cookie|3a| cid="; pcre:"/^\d{4}\r$/Rm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Exploiting IEPeers"; flow:established,to_client; content:"booom["; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; reference:url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/; reference:cve,2010-0806; classtype:trojan-activity; sid:2014199; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:trojan-activity; sid:2014200; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outbound HTTP Connection From Cisco IOS Device"; flow:established,to_server; content:"User-Agent|3A 20|cisco-IOS"; http_header; nocase; classtype:misc-activity; sid:2014201; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY File Being Uploaded to SendSpace File Hosting Site"; flow:established,to_server; content:"POST"; http_method; content:"processupload.html"; http_uri; content:".sendspace.com|0d 0a|"; fast_pattern; http_header; classtype:misc-activity; sid:2014202; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Landing Page Request"; flow:established,to_server; content:"/CUTE-IE.html"; nocase; http_uri; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014203; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CutePack Exploit Kit JavaScript Variable Detected"; flow:established,to_client; content:"var Cute"; nocase; fast_pattern:only; pcre:"/var\x20Cute(Money|Power|Shine)/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014204; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected"; flow:established,to_client; content:"/CUTE-IE.html"; nocase; fast_pattern:only; pcre:"/iframe[^\r\n]*\x2FCUTE-IE\x2Ehtml/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014205; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CutePack Exploit Kit Landing Page Detected"; flow:established,to_client; content:"button id=|22|evilcute|22|"; nocase; fast_pattern:only; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014206; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; content:"/baby.mid"; http_uri; fast_pattern:only; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TLD4 Purple Haze Variant Initial CnC Request for Ad Servers"; flow:established,to_server; content:"trf?q="; http_uri; content:"&edv="; http_uri; content:"&o="; http_uri; content:"&kp="; http_uri; content:"&tk="; http_uri; content:"&fk="; http_uri; content:"&ks="; http_uri; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:2014208; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Sykipot SSL Certificate serial number detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014209; rev:3;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Sykipot SSL Certificate subject emailAddress detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"marry.smith@ltu.edu"; within:400; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014210; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater alt checkin to CnC"; flow:established,to_server; content:"/microsoft/errorpost/default/connect.aspx?ID="; http_uri; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014211; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater POST checkin to CnC"; flow:established,to_server; content:"/microsoft/errorpost/default.aspx?ID="; http_uri; content:"POST"; nocase; http_method; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014212; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater Connectivity Check to Google"; flow:established,to_server; content:"/search?qu="; http_uri; content:"User-Agent|3a 20|Firefox/2.0.0.2"; http_header; content:"news"; http_client_body; depth:4; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014213; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Delf/Troxen/Zema controller responding to client"; flow:established,to_client; file_data; content:"wait.<os>"; within:9; classtype:trojan-activity; sid:2014216; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Delf/Troxen/Zema controller delivering clickfraud instructions"; flow:established,to_client; file_data; content:"<md5>"; within:5; content:"</md5><url>"; distance:16; within:11; classtype:trojan-activity; sid:2014217; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; content:"POST"; nocase; http_method; content:"bn1="; depth:4; http_client_body; fast_pattern; content:"&sk1="; http_client_body; pcre:"/&sk1=[A-F0-9]{30}/P"; classtype:trojan-activity; sid:2014218; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:trojan-activity; sid:2014219; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN QDIGIT Trojan Protocol detected"; flow:to_server,established; content:"|51 31 39 21 00|"; depth:5; dsize:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014222; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014223; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014224; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN IP2B Trojan Communication Protocol detected"; flow:established,to_server; content:"|78 56 34 12 00 10 00 10|"; depth:8; content:"|00 18 09 07 20|"; distance:4; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014226; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BB Trojan Communication Protocol detected"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; depth:4; content:"|01 04 01 00 00|"; distance:8; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014227; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 9C 00 00 00|"; distance:31; within:5; fast_pattern; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00|"; distance:2; within:2; content:"|00|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length|3a| 7|0d 0a|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014229; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; file_data; content:!"MZ"; within:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/update?id="; distance:0; content:"X-Status|3A|"; offset:16; content:"X-Size|3A|"; offset:16; content:"X-Sn|3A|"; fast_pattern; offset:16; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; offset:16; classtype:trojan-activity; sid:2014231; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014232; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"User-Agent|3a| asafaweb.com|0d 0a|"; http_header; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|Host|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0"; http_header; content:"|3b| Windows 98)"; within:13; fast_pattern; http_header; flowbits:set,ET.Fareit.chk; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:9;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc.exe"; http_header; distance:0; content:"|0d 0a|"; http_header; within:3; classtype:bad-unknown; sid:2014237; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; depth:15; classtype:trojan-activity; sid:2014239; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:bad-unknown; sid:2014243; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:trojan-activity; sid:2014247; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 5"; flow:established,to_server; content:"?subid="; http_uri; content:"&u="; distance:0; http_uri; pcre:"/\?subid=\d{9}&u=[\w\.\-]{23}$/Ui"; classtype:trojan-activity; sid:2014248; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; content:"/install.xml?pid="; http_uri; content:"gameplaylabs.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014249; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jreactions mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jreactions"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/95431/Joomla-Jreactions-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014250; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grady Levkov id Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/view-search.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109814/Grady-Levkov-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014251; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Membership Site Manager Script key Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/scripts/membershipsite/manager/index.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"key="; nocase; http_uri; pcre:"/key\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/108687/PHP-Membership-Site-Manager-Script-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014252; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014253; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014254; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014255; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014256; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/file.php?"; nocase; http_uri; content:"eintrag="; nocase; http_uri; content:"filecat="; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014257; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_visa controller Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_visa"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109214/Joomla-Visa-SQL-Injection-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014258; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_eventcal mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_eventcal"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/94983/Joomla-Eventcal-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014259; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; content:"/services/javascript.php"; http_uri; content:"href"; http_cookie; content:"file=open_calendar.js"; http_client_body; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PlaySushi User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|psi "; http_header; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:trojan-activity; sid:2014261; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent|3a| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Pasta.IK Checkin"; flow:established,to_server; content:"/data/index.asp?act="; http_uri; content:"&ver=Ver"; http_uri; content:"&a="; http_uri; reference:md5,1a13d56365e864aba54967d4745ab660; classtype:trojan-activity; sid:2014263; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY IP geo location service response"; flow:established,from_server; flowbits:isset,ETPRO.IP.geo.loc; content:"city_name="; http_cookie; content:"state="; http_cookie; content:"country_"; http_cookie; content:"latitude="; http_cookie; content:"longitude="; http_cookie; file_data; content:"document.write(|22|"; within:16; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014265; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014266; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query for Known Hostile *test.3322.org.cn Domain"; content:"|01 00 00 01 00 00 00 00 00|"; depth:9; offset:2; content:"test|04|3322|03|org|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.RShot Checkin"; flow:established,to_server; content:"connected#"; depth:10; content:"#Windows "; content:"##"; distance:0; dsize:<120; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014268; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|3B| name=|22|bot_id|22 0D 0A 0D 0A|"; fast_pattern; content:" name=|22|os_version|22 0D 0A 0D 0A|"; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014269; rev:2;) alert icmp $HOME_NET any -> any any (msg:"ET TROJAN Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:trojan-activity; sid:2014271; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:trojan-activity; sid:2014272; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Activity"; flow:established,to_server; content:".php?version="; http_uri; fast_pattern:only; content:"&user="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{31,32}&/Ui"; content:!"Referer|3a 20|"; http_header; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for try2check.me Carder Tool"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|try2check|02|me|00|"; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trustezeb Checkin to CnC"; flow:established,to_server; content:".php?id="; http_uri; content:"&stat="; fast_pattern; distance:0; http_uri; pcre:"/id=[A-F0-9]{20}/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; http_header; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=417; classtype:trojan-activity; sid:2014283; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014286; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014287; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java Archive sent when remote host claims to send an image"; flow:established,from_server; content:"Content-Type|3a| image"; nocase; http_header; content:"|0d 0a 0d 0a|PK"; fast_pattern; content:"META-INF/MANIFEST"; distance:0; classtype:trojan-activity; sid:2014288; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a 3322.org.cn Domain"; flow:to_server,established; content:"Host|3a| "; http_header; content:".3322.org.cn|0D 0A|"; within:50; http_header; classtype:bad-unknown; sid:2014289; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; content:".com.exe"; http_uri; fast_pattern; content:"User-Agent|3a| GetRight/"; http_header; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:trojan-activity; sid:2014290; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup"; flow:established,to_server; content:"/getip.php?action=getip&ip_url="; http_uri; classtype:policy-violation; sid:2014292; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smart Fortress FakeAV/Kryptik.ABNC Checkin"; flow:established,to_server; content:"/?&affid="; http_uri; fast_pattern; content:"Accept|3a| *//*|0d 0a|"; http_header; reference:md5,fa20c17e5f58e7419b4f0eed318fa95a; reference:url,support.kaspersky.com/viruses/rogue/description?qid=208286259; classtype:trojan-activity; sid:2014293; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; classtype:bad-unknown; sid:2014295; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER eval/base64_decode Exploit Attempt Inbound"; flow:established,to_server; content:"eval|28|base64_decode|28|"; http_uri; classtype:web-application-attack; sid:2014296; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_"; http_header; content:!"141"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; reference:url,java.com/en/download/manual_java7.jsp; classtype:bad-unknown; sid:2014297; rev:46;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:trojan-activity; sid:2014300; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Referer C Drive Path"; flow:established,to_server; content:"Referer|3A 20|res|3A 2F 2F|c|3A 5C|"; nocase; http_header; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Koobface Variant Checkin Attempt"; flow:established,to_server; content:"/ping.php"; http_uri; content:" WinHttp.WinHttpRequest.5|29 0d 0a|"; http_header; reference:md5,62aa9e798746e586fb1f03459a970104; classtype:trojan-activity; sid:2014303; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; content:"Host|3A 20|api.wipmania.com|0d 0a|"; http_header; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:policy-violation; sid:2014304; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TCYWin.Downloader User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|TCYWinHTTPDownload"; http_header; reference:md5,4cfe5674d9f33804572ae0d14f0c941b; classtype:trojan-activity; sid:2014305; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Backdoor.BlackMonay Checkin"; flow:established,to_server; content:".Php?UserName="; nocase; http_uri; content:"&Bank="; nocase; http_uri; content:"&Money="; nocase; http_uri; content:"Accept-Language|3A 20|zh-cn"; http_header; reference:md5,4a203e37caa2e04671388341419bda69; classtype:trojan-activity; sid:2014306; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:trojan-activity; sid:2014307; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern:17,6; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"0000/log"; http_uri; fast_pattern:only; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/U"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RegSubsDat Checkin Off Ports"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log /"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014311; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; file_data; content:"|3B 20|Ini download file modue"; nocase; distance:0; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server|3A 20|dbws|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:attempted-user; sid:2014314; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:trojan-activity; sid:2014315; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".pdf"; http_header; file_data; content:"%PDF-"; within:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:trojan-activity; sid:2014316; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"<xml>"; within:5; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; depth:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ButorWiki service Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sso/signin?"; nocase; http_uri; content:"service="; nocase; http_uri; pcre:"/service\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109852/ButorWiki-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014320; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS b2evolution inc_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/blogs/default.php?"; nocase; http_uri; content:"inc_path="; nocase; http_uri; pcre:"/inc_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014321; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS b2evolution skins_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/blogs/default.php?"; nocase; http_uri; content:"skins_path="; nocase; http_uri; pcre:"/skins_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014322; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_bch controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bch"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109025/Joomla-BCH-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014323; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Fork-CMS js.php module parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/frontend/js.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"language="; nocase; http_uri; content:"module="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109709/Fork-CMS-3.2.4-Cross-Site-Scripting-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014324; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ipswcom.IPSWComItf"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014326; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS starCMS q parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"r="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"actionsuche="; nocase; http_uri; content:"q="; nocase; http_uri; pcre:"/q\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110376/starCMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014327; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_boss controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_boss"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/108905/Joomla-Boss-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014328; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Snipsnap search Cross Site Scripting Attempt"; flow:established,to_server; content:"/space/snipsnap-search?"; nocase; http_uri; content:"query="; nocase; http_uri; pcre:"/query\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/109543/Snipsnap-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014329; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kelihos/Hlux GET jucheck.exe from CnC"; flow:established,to_server; content:"/jucheck.exe"; http_uri; content:"HTTP/1.0"; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; reference:url,www.abuse.ch/?p=3658; classtype:trojan-activity; sid:2014330; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Genome.aetqe Checkin"; flow:established,to_server; content:"/stats/counterz.php?id="; http_uri; content:"&stat="; http_uri; reference:md5,700b7a81d1460a652e5f9f06fc54dcd6; classtype:trojan-activity; sid:2014331; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Coral Web Proxy/Content Distribution Net Use"; flow:to_server,established; content:"Host|3a|"; http_header; content:".nyud.net|0d 0a|"; fast_pattern; http_header; within:100; reference:url,en.wikipedia.org/wiki/Coral_Content_Distribution_Network; classtype:policy-violation; sid:2014332; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"|66 74 79 70 6D 70 34|"; distance:0; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yayih.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bbs/info.asp"; http_uri; fast_pattern; content:!"User-Agent|3a| "; http_header; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:trojan-activity; sid:2014336; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware Checkin"; flow:established,to_server; content:"/inst.asp?d="; http_uri; content:"&cl="; http_uri; content:"&l="; http_uri; content:"&e="; http_uri; content:"&v="; http_uri; content:"&uid="; http_uri; content:"&time="; http_uri; content:"&win="; http_uri; content:"&ac="; http_uri; content:"&ti="; http_uri; content:"&xv="; http_uri; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014339; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware User Agent"; flow:established,to_server; content:"User-Agent|3a| zz_"; http_header; pcre:"/^User-Agent\x3a zz_[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014340; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; content:"User-Agent|3A 20|5.0|0D 0A|"; http_header; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; content:"User-Agent|3A 20|UpdateSoft"; http_header; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; depth:9; fast_pattern; http_client_body; content:"%3D%0D%0A"; offset:109; http_client_body; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:trojan-activity; sid:2014347; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; content:"CHAR("; http_uri; nocase; pcre:"/CHAR\([0-9]{2,3}\)char\([^\x0d\x0a\x20]{98}/Ui"; classtype:attempted-admin; sid:2014352; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/MediaGet.Adware Installer Download"; flow:established,to_client; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:trojan-activity; sid:2014353; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; content:"User-Agent|3A 20|Softonic Downloader/"; http_header; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:trojan-activity; sid:2014355; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; within:30; http_client_body; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:trojan-activity; sid:2014356; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Kazy Checkin"; flow:established,to_server; content:"/guidcheck.php?q="; http_uri; content:"&g="; http_uri; content:"&n="; http_uri; content:"&h="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; reference:md5,bb129d433271951abb0e5262060a4583; classtype:trojan-activity; sid:2014357; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Riern.K Checkin Off Port"; flow:established,from_client; content:"|01|new_host_"; depth:10; fast_pattern; content:"|ff ff ff ff ff 00 00 00 00 00 00 00 00|"; distance:0; classtype:trojan-activity; sid:2014358; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Win32/Protux.B POST checkin"; flow:from_client,established; content:"POST"; nocase; http_method; content:"Mozilla/4.8.20 (compatible|3B| MSIE 5.0.2|3B| Win32)|0D 0A|Host|3a| "; http_header; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:trojan-activity; sid:2014360; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014362; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; pcre:"/[a-z0-9]{33,}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014363; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:trojan-activity; sid:2014364; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Graybird Checkin"; flow:to_server,established; content:"/count.asp?mac="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"User-Agent|3a| Post|0d 0a|"; http_header; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:trojan-activity; sid:2014365; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Post"; flow:established,to_server; content:"User-Agent|3A 20|Post|0d 0a|"; http_header; fast_pattern:only; content:!"/uup.php"; http_uri; content:!".360.cn|0d 0a|"; http_header; content:!".360.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014366; rev:6;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; within:8; content:"|20 28|qwe123"; fast_pattern:only; classtype:trojan-activity; sid:2014368; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/forum/"; http_uri; pcre:"/\/forum\/[0-9a-f]{32}\x2ephp/U"; content:"HTTP/1.0"; content:!"User-Agent|3A|"; nocase; http_header; content:"Data="; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2014370; rev:2;) alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014372; rev:5;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014376; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2;) alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2;) alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8;) alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server,not_established; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:6;) alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper User-Agent (XXXwww)"; flow:established,to_server; content:"User-Agent|3a| XXXwww"; http_header; classtype:trojan-activity; sid:2014387; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_phocadownload folder Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_phocadownload"; nocase; http_uri; content:"view="; nocase; http_uri; content:"manager="; nocase; http_uri; content:"tmpl="; nocase; http_uri; content:"folder="; nocase; http_uri; pcre:"/folder=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/100406/Joomla-Phocadownload-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014388; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_adsmanager mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_adsmanager"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstorm.foofus.com/1012-exploits/joomlaadsmanager-rfi.txt; classtype:web-application-attack; sid:2014389; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"F6FE8878-54D2-4333-B9F0-FC543B1BE1ED"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014390; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_fundhelp controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_fundhelp"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109023/Joomla-Fundhelp-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014392; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rule controller Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rule"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/109026/Joomla-Rule-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014393; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_kp controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_kp"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/108917/Joomla-KP-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014394; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Address Book from Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/preferences.php?"; nocase; http_uri; content:"from="; nocase; http_uri; pcre:"/from\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110667/PHP-Address-Book-6.2.12-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014395; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Volusion Chat ID Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/livechat.aspx?"; nocase; http_uri; content:"location="; nocase; http_uri; content:"auto="; nocase; http_uri; content:"cookieGuid="; nocase; http_uri; content:"ID="; nocase; http_uri; pcre:"/ID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110811/Volusion-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014396; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EJBCA issuer Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/publicweb/webdist/certdist?"; nocase; http_uri; content:"cmd="; nocase; http_uri; content:"serno="; nocase; http_uri; content:"issuer="; nocase; http_uri; pcre:"/issuer\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/110683/EJBCA-4.0.7-Cross-Site-Scripting-User-Enumeration.html; classtype:web-application-attack; sid:2014397; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:trojan-activity; sid:2014399; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/LoudMo.Adware Checkin"; flow:established,to_server; content:"/?aff="; http_uri; content:"Host|3A 20|www.gamebound.com"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:trojan-activity; sid:2014400; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 15000:30000 (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"GET /qvod/ff.txt"; depth:16; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 15000:30000 (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; content:"GET /wg.txt"; depth:11; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:trojan-activity; sid:2014403; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:trojan-activity; sid:2014405; rev:14;) alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern:only; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:trojan-activity; sid:2020985; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:trojan-activity; sid:2020987; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern:only; pcre:"/\/street[1-5]\.php$/U"; classtype:trojan-activity; sid:2020988; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern:only; pcre:"/\/XV-\d+\.exe$/U"; classtype:trojan-activity; sid:2020989; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:trojan-activity; sid:2020990; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/U"; classtype:trojan-activity; sid:2020991; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020992; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:trojan-activity; sid:2020994; rev:2;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access"; flow:established,to_server; content:"Adminhtml"; http_uri; nocase; content:!"|2f|admin|2f|"; nocase; http_uri; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:attempted-admin; sid:2021005; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern; classtype:trojan-activity; sid:2021006; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"ludGVybmV0T3Blb"; fast_pattern; classtype:trojan-activity; sid:2021007; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"JbnRlcm5ldE9wZW"; fast_pattern; classtype:trojan-activity; sid:2021008; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"d2luaW5ldC5kbG"; fast_pattern; classtype:trojan-activity; sid:2021009; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"dpbmluZXQuZGxs"; fast_pattern; classtype:trojan-activity; sid:2021010; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"3aW5pbmV0LmRsb"; fast_pattern; classtype:trojan-activity; sid:2021011; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:trojan-activity; sid:2021012; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021013; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021016; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dalexis Downloading EXE"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0|29 0d 0a|"; http_header; fast_pattern:44,20; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Close|0d 0a|"; http_header; classtype:trojan-activity; sid:2021017; rev:1;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; content:"POST"; http_method; content:"/apply_noauth.cgi"; http_uri; fast_pattern:only; content:"timestamp="; http_client_body; threshold: type both, track by_dst, count 10, seconds 60; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN MewsSpy/NionSpy .onion Proxy Domain (z3mm6cupmtw5b2xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|z3mm6cupmtw5b2xx"; nocase; distance:0; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:2021019; rev:1;) alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:1;) alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1;) alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021023; rev:1;) alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021024; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible ThousandEyes User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; http_header; fast_pattern:68,20; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021025; rev:1;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET INFO Possible ThousandEyes User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; http_header; fast_pattern:68,20; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021026; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?sentry_version="; http_uri; content:"&sentry_client="; distance:0; http_uri; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:trojan-activity; sid:2021027; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downeks Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:7; content:"/dw/gtk"; http_uri; fast_pattern:only; content:"Host|3a|"; http_header; depth:5; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:trojan-activity; sid:2021028; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downeks Checkin 2"; flow:to_server,established; urilen:>107; content:"GET"; http_method; content:"/setup/"; http_uri; fast_pattern:only; content:"Host|3a|"; http_header; depth:5; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/setup\/[a-zA-Z0-9!-]{100,}$/U"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:trojan-activity; sid:2021029; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BePush/Kilim CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?type="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Mozilla|2f|"; http_header; content:!"threatseeker.com|0d 0a|"; pcre:"/\.php\?type=(?:update_hash|js|key|arsiv_(?:hash|link))$/U"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:trojan-activity; sid:2021030; rev:3;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:trojan-activity; sid:2021031; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:trojan-activity; sid:2021032; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; depth:3; content:"/%20http%3A%2F"; distance:0; nocase; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/%20http%3A%2F/i"; classtype:trojan-activity; sid:2021033; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET "; depth:4; content:"/5/"; distance:0; content:"/"; distance:32; within:1; content:"http%3A%2F%2F"; within:17; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/5\/[a-f0-9]{32}\/%20http%3A%2F%2F/i"; classtype:trojan-activity; sid:2021034; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"|20|HTTP/1."; distance:0; content:"Java/"; distance:0; fast_pattern; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)? HTTP\/1\./"; classtype:trojan-activity; sid:2021035; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"|20|/"; offset:3; depth:3; content:"/5/"; fast_pattern; distance:0; content:"HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^[A-Z]{3,4} [^\s]*?\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)? HTTP\/1\.[01]\r\n/"; classtype:trojan-activity; sid:2021036; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"/5/"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})? HTTP\/1\./"; content:"Referer|3a 20|"; distance:0; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r/R"; classtype:trojan-activity; sid:2021037; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; depth:4; content:"0/"; distance:0; content:"|20|HTTP/1."; distance:0; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; distance:0; fast_pattern:21,20; content:"%"; distance:0; pcre:"/^POST \/[a-z]+\/[a-z]+\//"; content:"|0d 0a 0d 0a|"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/R"; classtype:trojan-activity; sid:2021038; rev:5;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cld7vqwcvn2bii67"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:2; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/? HTTP\/1\.[01]\r\n/"; content:"/%20http%3A%2F"; distance:0; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:trojan-activity; sid:2021049; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:trojan-activity; sid:2021050; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux.Mumblehard Initial Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern:59,20; pcre:"/^Host\x3a (?:\d{1,3}\.){3}\d{1,3}\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nAccept-Language\x3a[^\r\n]+?\r\nAccept-Encoding\x3a[^\r\n]+?\r\nAccept-Charset\x3a[^\r\n]+?\r\nConnection\x3a close(?:\r\n)*$/Hi"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021051; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux.Mumblehard Command Status CnC"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|7.0.1) Gecko/"; fast_pattern:37,20; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; pcre:"/^Host\x3a (?:\d{1,3}\.){3}\d{1,3}\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nAccept-Language\x3a[^\r\n]+?\r\nAccept-Encoding\x3a[^\r\n]+?\r\nAccept-Charset\x3a[^\r\n]+?\r\nConnection\x3a close(?:\r\n)*$/Hi"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021052; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021053; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"name="; http_client_body; content:"&host="; http_client_body; content:"&browser="; http_client_body; content:"&post="; http_client_body; fast_pattern:only; pcre:"/\.php$/U"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:trojan-activity; sid:2021055; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/Hmi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; isdataat:!1,relative; classtype:trojan-activity; sid:2021057; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Xenu Link Sleuth"; http_header; fast_pattern:12,16; classtype:attempted-recon; sid:2021058; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021059; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; http_header; fast_pattern:40,20; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request"; flow:to_server,established; content:"/genericons/example.html"; http_uri; fast_pattern:only; pcre:"/\/genericons\/example\.html$/U"; reference:url,blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html; classtype:web-application-attack; sid:2021062; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021063; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"Content-Type|3a 20|application/postscript|0d 0a|"; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; content:"Content-Disposition|3a 20|inline|3b| filename="; pcre:"/^[a-z]{10}\.[a-z]{3}\r\n\r\n/R"; classtype:trojan-activity; sid:2021064; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:to_server,established; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:trojan-activity; sid:2021065; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from Cisco ooh323"; flow:to_server,established; content:"|28 06|cisco|00|"; offset:14; depth:8; content:"|b8 00 00 27 05|ooh323|06|"; distance:0; within:60; reference:url,videonationsltd.co.uk/2015/04/h-323-cisco-spam-calls/; classtype:misc-attack; sid:2021066; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M1 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x201\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021067; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M2 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|2"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x202\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021068; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M3 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|3"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x203\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021069; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M4 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|4"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x204\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021070; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M5 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|5"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x205\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021071; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M6 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|6"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x206\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021072; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M7 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|7"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x207\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021073; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M8 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|8"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x208\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021074; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Dotted Quad Host M9 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; content:"Host|3a 20|9"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x209\d{0,1}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; classtype:bad-unknown; sid:2021075; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|is6xsotjdy4qtgur"; fast_pattern; distance:0; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern:only; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Enfal CnC POST"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; fast_pattern:only; http_uri; pcre:"/\.cgi$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/Hmi"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:trojan-activity; sid:2021079; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Enfal CnC GET"; flow:to_server,established; content:"GET"; http_method; content:"docs/"; http_uri; fast_pattern:only; pcre:"/^\/(?:tran|http)docs\//U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/Hmi"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:trojan-activity; sid:2021080; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iq3ahijcfeont3xx"; fast_pattern; distance:0; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021086; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021087; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/p?"; depth:3; http_uri; fast_pattern; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/U"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021088; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:trojan-activity; sid:2021089; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:""; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VaultCrypt Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:6; content:"/v.vlt"; http_uri; fast_pattern:only; content:"|0d 0a|UA-CPU|3a 20|"; http_header; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:trojan-activity; sid:2021091; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:"postInstallReport"; http_client_body; fast_pattern; content:"machineId|22 3a 22|"; http_client_body; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:trojan-activity; sid:2021094; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Putty SSH Credential Stealer"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"=c3NoOi8v"; http_uri; fast_pattern:only; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/U"; content:!"Referer|3a|"; http_header; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021096; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP.GigaClicks Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/ver/"; http_uri; content:"/sid/"; http_uri; content:"instlog="; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:trojan-activity; sid:2021099; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper Installing PUP 2"; flow:to_server,established; content:"GET"; http_method; content:"/ohupdate.php?"; http_uri; content:"localip="; http_uri; distance:0; content:"&macaddr="; http_uri; distance:0; content:"&program="; http_uri; distance:0; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; http_header; fast_pattern:21,20; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper Installing PUP 1"; flow:to_server,established; content:"GET"; http_method; content:"/ohupdate.php?program="; http_uri; content:"&q="; http_uri; distance:0; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; fast_pattern:12,13; classtype:trojan-activity; sid:2021101; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:trojan-activity; sid:2021102; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FrauDrop Checkin"; flow:established,to_server; content:".asp?sn="; http_uri; content:"&tmac="; http_uri; distance:0; content:"&action="; http_uri; distance:0; content:"&ver="; http_uri; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x30442e9d036a40c8cbd41f8f4c9afab1ba\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021103; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FrauDrop UA LETITGO"; flow:established,to_server; content:"User-Agent|3a 20|LETITGO|0d 0a|"; http_header; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021104; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FrauDrop UA single"; flow:established,to_server; content:"User-Agent|3a 20|single|0d 0a|"; http_header; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021105; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:trojan-activity; sid:2021106; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern:15,20; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN APT Hellsing Proxy Checker Checkin"; flow:established,to_server; content:"GET /lib/common.asp?action="; fast_pattern; content:"&uid="; distance:0; content:"&lan="; distance:0; content:"&hname="; distance:7; within:22; content:"&uname="; distance:1; within:22; content:"&os="; distance:0; reference:md5,b7e7186d962d562af6a5d10a25d19b02; reference:url,securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/; classtype:trojan-activity; sid:2021108; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021109; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.Win32/Nitol.B Checkin"; flow:from_client,established; dsize:>1000; content:"|88 88 08 00|"; depth:4; content:"|2E|"; distance:1; content:"|2F 73|"; distance:2; reference:md5,f078e099b1f8afc7c43eb05b4badf9e7; classtype:trojan-activity; sid:2021111; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021112; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021113; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoyah CnC Beacon"; flow:established,to_server; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|MSIE|28|"; http_header; content:"|29 29 3b 20|NT|28|"; distance:0; http_header; content:"|29 3b 20|AV|28|"; distance:0; http_header; content:"|29 3b 20|OV|28|"; distance:0; http_header; content:"|29 3b 20|NA|28|"; distance:0; http_header; content:"|29 20|VR|28|"; distance:0; http_header; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:trojan-activity; sid:2021114; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tlunjscxn5n76iyz"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:trojan-activity; sid:2021116; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:trojan-activity; sid:2021117; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SPEAR CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:".asp?"; http_uri; fast_pattern:only; content:" MSIE "; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/U"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,e09c8cd6ad3b99f46e083916c5371b6e2acc050d; classtype:trojan-activity; sid:2021118; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SPEAR CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:"?wd="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/U"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,e09c8cd6ad3b99f46e083916c5371b6e2acc050d; classtype:trojan-activity; sid:2021119; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; content:"Host|3a 20|www.earthtools.org|0d 0a|"; http_header; fast_pattern:6,20; content:"/timezone/"; depth:10; http_uri; content:!"Referer|3a|"; http_header; classtype:policy-violation; sid:2021120; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021121; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Worm.VBS.Jenxcus.H URL Structure"; flow:to_server,established; content:"POST"; http_method; content:"/is-rinoy"; http_uri; fast_pattern:only; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021122; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Worm.VBS.Jenxcus.H User Agent"; flow:to_server,established; content:"User-Agent|3a 20|Hacked"; http_header; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021123; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021126; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021127; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Proxy Request"; flow:to_server,established; content:"GET"; http_method; content:"/proxy"; http_uri; fast_pattern; content:"Host|3a 20|"; http_header; content:"|0d 0a|Connection|3a 20|"; http_header; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Cache-Control|3a 20|"; http_header; pcre:"/\/proxy$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Blog Request"; flow:to_server,established; content:"GET"; http_method; content:"/blog"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/blog$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021129; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Target Request"; flow:to_server,established; content:"GET"; http_method; content:"/target"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/target$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021130; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blue Bot DDoS Logger Request"; flow:to_server,established; content:"GET"; http_method; content:"/botlogger.php"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/botlogger\.php$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021131; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern:only; content:"&guid="; http_uri; content:"&version="; distance:0; http_uri; content:"WinHttp.WinHttpRequest."; http_header; content:!"Referer|3a|"; http_header; pcre:"/&version=\d+$/U"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:trojan-activity; sid:2021132; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; content:!"Referer|3a|"; http_header; content:"username="; http_client_body; content:"memory_total="; http_client_body; content:"os_caption="; http_client_body; content:"os_serialnumber="; http_client_body; fast_pattern:only; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:trojan-activity; sid:2021133; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET TROJAN Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern:only; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:to_server,established; content:"|20|/_plugin/"; offset:3; depth:11; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN H1N1 Loader CnC Beacon M1"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http_header; pcre:"/\/gate\.php$/U"; pcre:"/^[A-Za-z0-9/_]+={0,2}$/P"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:trojan-activity; sid:2021139; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN H1N1 Loader CnC Beacon M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http_header; content:"N0BRBh"; depth:6; http_client_body; fast_pattern; pcre:"/\.php$/U"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:trojan-activity; sid:2021140; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Bancos URL Structure"; flow:to_server,established; content:"GET"; http_method; content:"/infects/"; http_uri; fast_pattern:only; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Ui"; content:!"Referer|3a|"; http_header; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSIL/Autorun.AD Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:14; content:"/loglogin.html"; http_uri; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:trojan-activity; sid:2021143; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nitlove POS CnC"; flow:to_server,established; content:"POST"; http_method; content:".php"; content:"User-Agent|3a 20|nit_love"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; pcre:"/\.php$/U"; reference:url,www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html; classtype:trojan-activity; sid:2021144; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Moose HTTP CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?p="; http_uri; fast_pattern; content:"&f="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021147; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux/Moose HTTP CnC Beacon Response"; flow:established,from_server; content:"Server|3a 20|Apache/20.2.25 (RedHat|29 0d 0a|"; http_header; fast_pattern:13,20; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021148; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021149; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern:only; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021150; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021151; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:trojan-activity; sid:2021152; rev:1;) alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Wordpress Errorcontent CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:"/?ip="; http_uri; fast_pattern; content:"&referer="; http_uri; distance:0; content:"&ua="; http_uri; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; pcre:"/^\/[a-z]+\/\?ip=/U"; reference:url,isc.sans.edu/diary/Possible+Wordpress+Botnet+C&C:+errorcontent.com/19733; classtype:trojan-activity; sid:2021153; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021154; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021155; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Gatak.DR Payload Instructions"; flow:established,to_server; content:"GET"; http_method; urilen:45; content:"/uploads/"; depth:9; http_uri; fast_pattern; content:".png"; distance:32; within:4; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|29 0d 0a|"; http_header; pcre:"/\/[a-f0-9]{32}\.png$/U"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gatak.DR#tab=2; classtype:trojan-activity; sid:2021160; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ip2location\.com\r?/Hmi"; content:"ip2location.com|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2021162; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wdthvb6jut2rupu4"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xwxwninkssujglja"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7fa6gldxg64t5wnt"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; content:"GET"; http_method; content:"/?action=getuid"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021166; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern:only; content:"&uid="; http_uri; content:"&bit="; http_uri; content:"&version="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021167; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"action="; depth:7; http_client_body; content:"&uid="; distance:0; http_client_body; content:"key="; distance:0; http_client_body; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021168; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"\s*?<\/script>/Rs"; classtype:trojan-activity; sid:2021394; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:trojan-activity; sid:2021395; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:trojan-activity; sid:2021396; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021397; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Matsnu Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?"; fast_pattern:only; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0b|3b| Windows NT 5.0|3b| .NET CLR 1.0.2914|29 0d 0a|"; http_header; content:"Connection|3a| Keep-Alive|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; content:"="; depth:7; http_client_body; content:"AA"; distance:3; within:2; http_client_body; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:trojan-activity; sid:2021399; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PHISH - Fake Login Landing Page"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:policy-violation; sid:2021400; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/update.php?p="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&id="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|AutoUpdate|0d 0a|"; http_header; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:trojan-activity; sid:2021401; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/adm/contador.php"; http_uri; fast_pattern:only; content:"User-Agent|3A 20|Firefox/15.0.1|0D 0A|"; http_header; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021403; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"conteudo="; fast_pattern; depth:9; http_client_body; content:"&myFile="; http_client_body; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021404; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern:only; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:trojan-activity; sid:2021405; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; content:!"/"; offset:1; http_uri; content:".asp"; http_uri; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/U"; pcre:"/[a-z].*?[a-z]/U"; pcre:"/[A-Z].*?[A-Z]/U"; pcre:"/\d.*?\d/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/Hm"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2021407; rev:3;) alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; content:"GET"; http_method; content:"/cgi_test.cgi?write_"; http_uri; fast_pattern:only; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/Ui"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gggatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|xxxatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021411; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SeaDuke CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; depth:33; http_header; content:!"Accept-L"; http_header; content:!"Accept|3a|"; http_header; pcre:"/\.php$/U"; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/C"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:trojan-activity; sid:2021413; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; content:"/movie.swf"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2021414; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0329a\x02de\x00/R"; content:"|03|29a|02|de|00|"; nocase; fast_pattern:only; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021417; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bedep HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:"Accept|3a 20|text/html, application/xhtml+xml, */*|0d 0a|"; http_header; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/U"; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/P"; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Content-Type\x3a[^\r\n]+\r\n)?(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hi"; classtype:trojan-activity; sid:2021418; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.visionresearch.com"; distance:1; within:23; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021419; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 3d d6|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021420; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021421; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 5"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|extranet.qualityplanning.com"; distance:1; within:29; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021422; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|14|edadmin.kearsney.com"; distance:1; within:21; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021423; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|13|redbluffchamber.com"; distance:1; within:20; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021424; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT CozyCar SSL Cert 8"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|Connectads.com"; distance:1; within:15; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:trojan-activity; sid:2021425; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021426; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".dll"; classtype:trojan-activity; sid:2021429; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".sys"; classtype:trojan-activity; sid:2021430; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:trojan-activity; sid:2021431; rev:1;) alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M1 (L O)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:1;) alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M2 (L CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:1;) alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M3 (O CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:trojan-activity; sid:2021435; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021436; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:trojan-activity; sid:2021437; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External IP Lookup sina.com.cn"; flow:established,to_server; content:"GET"; http_method; content:"/iplookup.php"; http_uri; content:"dpool.sina.com.cn"; fast_pattern:only; http_header; classtype:policy-violation; sid:2021438; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"ID_MAQUINA="; depth:11; nocase; http_client_body; fast_pattern; content:"&VERSAO="; distance:0; nocase; http_client_body; content:"&WIN="; distance:0; nocase; http_client_body; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:trojan-activity; sid:2021439; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyBase Keylogger HTTP Pattern"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/post.php?type="; http_uri; fast_pattern; content:"&machinename="; http_uri; distance:0; content:!"User-Agent|3a 20|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/H"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KeyBase Keylogger Uploading Screenshots"; flow:to_server,established; content:"POST"; http_method; content:"/image/upload.php"; fast_pattern:only; http_uri; content:"|0d 0a|Expect|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.jpg\x22\x0d\x0a/R"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Rioselx.A Checkin"; flow:established,to_server; content:"/access.php"; http_uri; fast_pattern; content:"User-Agent|3a|"; http_header; content:!"Mozilla"; within:7; http_header; pcre:"/^User-Agent\x3a\x20(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r\n/Hmi"; content:!"Referer"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:"Content-Length|3a| "; http_header; reference:md5,3eb94c397a395f24b84297593f69710a; classtype:trojan-activity; sid:2021442; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|v8|05|f1122|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021443; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|GroUndHog|08|MapSnode|03|CoM"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021444; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021445; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021446; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M2"; flow:to_server,established; content:"GET"; http_method; content:"index.html?city="; http_uri; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021447; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M4"; flow:to_client,established; file_data; content:"myFunction|28 29|"; content:"setInterval"; distance:0; content:"alert"; distance:0; content:"gp-msg.mp3"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021449; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M1"; flow:to_client,established; file_data; content:"us_win.mp3"; fast_pattern; content:"yourOS|28 29|"; distance:0; content:"myFunction|28 29|"; distance:0; content:"onload_fun|28 29|"; distance:0; classtype:trojan-activity; sid:2021500; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jiripbot CnC 1"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"/status"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/Hmi"; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/Cm"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021501; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jiripbot CnC 2"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/checkupdate"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; http_header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/Hmi"; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/Cm"; content:"A="; http_cookie; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:2021502; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:trojan-activity; sid:2021503; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sednit Connectivity Check 0 Byte POST"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20|"; http_header; content:"google."; http_header; within:16; content:!"Referer|3a|"; http_header; content:!"=http"; http_uri; content:"Content-Length|3A| 0|0D 0A|"; http_header; fast_pattern:only; content:"/?"; http_uri; pcre:"/\.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; pcre:"/^Host\x3a\x20(?:www\.)?google(?:\.[a-z]{2,3})+\r?$/Hm"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used; classtype:trojan-activity; sid:2021506; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:trojan-activity; sid:2021507; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern:only; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; classtype:trojan-activity; sid:2021509; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:trojan-activity; sid:2021510; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021512; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|obama team"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021513; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021514; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021515; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021516; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021517; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021519; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021520; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"HTTP|3a 2f 2f|"; depth:7; http_raw_uri; content:"id="; depth:3; http_cookie; content:!"Host|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^id=[0-9A-F]{12}[^\r\n]+$/C"; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern:only; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021525; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:trojan-activity; sid:2021526; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/config"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021529; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021530; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload M2 (set)"; flow:established,to_server; content:".txt"; http_uri; content:"WinHttp.WinHttpRequest"; http_header; flowbits:set,ET.BARTALEX; flowbits:noalert; classtype:trojan-activity; sid:2021531; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern:only; content:"200"; http_stat_code; file_data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; content:"Host|3a 20|myip.kz|0d 0a|"; http_header; fast_pattern:only; classtype:policy-violation; sid:2021533; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hlvumvvclxy2nw7j"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021534; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish - Landing Page July 24 M1"; flow:to_client,established; file_data; content:"Document Shared"; fast_pattern:10,20; content:"name=|22|GENERATOR|22 22|>"; distance:0; content:"name=|22|HOSTING|22 22|>"; distance:0; content:"Login with your email"; distance:0; content:"Choose your email provider"; distance:0; classtype:trojan-activity; sid:2021535; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish - Landing Page July 24 M2"; flow:to_client,established; file_data; content:"invoicetoptables"; fast_pattern; content:"invoicecontent"; distance:0; content:"displayTextgmail"; distance:0; content:"displayTexthotmail"; distance:0; content:"displayTextaol"; distance:0; classtype:trojan-activity; sid:2021536; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021537; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern:10,20; classtype:trojan-activity; sid:2021538; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021539; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021540; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021541; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021542; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021543; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern:25,20; classtype:trojan-activity; sid:2021544; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|decryptoraveidf7"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021546; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|encryptor3awk6px"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OSX ADWARE/Mackeeper Checkin"; flow:established,to_server; content:"/landings/"; depth:10; http_uri; content:"Macintosh|3b|"; http_header; content:"Host|3a| mackeeper"; http_header; content:"ldrBrowser=|25|22Safari|25|22|3b|"; http_cookie; content:"ldrOs=|25|22Mac+OS+X|25|22|3b|"; http_cookie; classtype:trojan-activity; sid:2021548; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vacdgwaw5djp5hmu"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021549; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; content:"GET"; http_method; content:"/ip?json"; http_uri; fast_pattern:only; content:"trackip.net"; http_header; classtype:policy-violation; sid:2021550; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|des7siw5vfkznjhi"; fast_pattern; distance:0; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/U"; classtype:trojan-activity; sid:2021552; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021553; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potao CnC"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|application/xml"; content:""; depth:21; http_client_body; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; http_client_body; fast_pattern; classtype:trojan-activity; sid:2021554; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potao CnC POST Response"; flow:to_client,established; content:"Server|3a 20|nginx"; http_header; file_data; content:""; depth:21; content:""; distance:1; content:"|0a|"; distance:1; content:""; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:trojan-activity; sid:2021555; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dyre CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"_W"; fast_pattern; http_uri; content:"User-Agent|3a|"; depth:11; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/U"; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:trojan-activity; sid:2021556; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1"; flow:established,to_server; content:"GET"; http_method; content:"/PhantomSuper.class"; http_uri; fast_pattern; content:"Java/"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021557; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2"; flow:established,to_server; content:"GET"; http_method; content:"/ArrayReplace.class"; http_uri; fast_pattern; content:"Java/"; http_header; content:!"Referer|3a|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021558; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:trojan-activity; sid:2021559; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN URI Struct Observed in Pawn Storm CVE-2015-2950"; flow:established,to_server; content:"POST"; http_method; content:"/?p2="; http_uri; content:"&recr="; distance:0; http_uri; fast_pattern; content:"&p3="; distance:0; http_uri; content:"&as="; distance:0; http_uri; content:"&c="; distance:0; http_uri; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021560; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|613cb6owitcouepv"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021561; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021563; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Installer|28|ref=|5b|"; http_header; fast_pattern:7,20; content:"|3b|windows="; http_header; distance:0; content:"|3b|uac="; http_header; distance:0; content:"|3b|elevated="; http_header; distance:0; content:"|3b|dotnet="; http_header; distance:0; content:"|3b|startTime="; http_header; distance:0; content:"|3b|pid="; http_header; distance:0; classtype:trojan-activity; sid:2021564; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021565; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021566; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021567; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021568; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; content:"POST"; http_method; content:".asp?cookie="; http_uri; fast_pattern:only; content:"&type="; http_uri; content:"&vid="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021569; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 7"; flow:to_server,established; content:"GET"; http_method; content:".jpg?vid="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?vid=\d+$/U"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021570; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021571; rev:1;) alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3;) alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4;) alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3;) alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|drometic|06|suroot|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021576; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|docume|09|sysbloger|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021577; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|ohio|09|sysbloger|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021578; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|specs|05|dnsrd|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021579; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|np3|04|Jkub|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021580; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns8|05|ddns1|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021581; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (books.mrface.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|books|06|mrface|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021582; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kieti|07|ipsecsl|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021583; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker POST CnC Beacon"; flow:established,to_server; content:"POST /"; depth:6; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Content-Type|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021584; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021585; rev:3;) alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:""; pcre:"/^\s*?\s*?