rules/0000755000175000017500000000000012612177155011161 5ustar champchamprules/blacklist.rules0000664000175000017500000000432212612177151014204 0ustar champchamp# Sagan blacklist.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # These are CATCH ALL rules. This means it will parse _all_ logs. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLACKLIST] Suspicious communications detected via Blacklist"; blacklist: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize: all; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002271; sid: 5002271; rev:1;) rules/postfix.rules0000664000175000017500000000507112612177151013732 0ustar champchamp# Sagan postfix.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[POSTFIX] IP Address black-listed by anti-spam [blocked]"; content: "blocked using"; classtype: spam; program: postfix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000225; sid: 5000225; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[POSTFIX] Processing error"; pcre: "/defer service failure|resource temporarily unavailable/i"; classtype: program-error; program: postfix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000226; sid: 5000226; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[POSTFIX] SASL authentication failure"; content: "authentication failed"; classtype: unsuccessful-user; program: postfix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000227; sid: 5000227; rev:2;) rules/su.rules0000664000175000017500000001131312612177151012661 0ustar champchamp# Sagan su.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # This is for both "su" and "sudo" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] SUDO user NOT in sudoers"; content:"user NOT in sudoers"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000024; sid: 5000024; rev:1;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure - Brute force [3/5]"; content: "authentication failure"; classtype: unsuccessful-admin; normalize: su; program: sudo; after: track by_src, count 3, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000025; sid: 5000025; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SU] SUDO authentication failure"; content: "authentication failure"; classtype: unsuccessful-admin; normalize: su; program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5001526; sid: 5001526; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful su as root"; content:"Successful su for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000027; normalize: su; sid: 5000027; rev:2;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su - Brute force [5/5]"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000028; sid: 5000028; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] FAILED su"; content:"FAILED su"; classtype: unsuccessful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5001527; sid: 5001527; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Three failed attempts to run sudo"; content: "3 incorrect password attempts"; classtype: unsuccessful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000132; sid: 5000132; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] Successful sudo to ROOT executed"; content: "USER=root"; content: "COMMAND="; content:!"incorrect password attempts"; content:!"NOT in sudoers"; classtype: successful-admin;program: sudo; reference: url,wiki.quadrantsec.com/bin/view/Main/5000133; sid: 5000133; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] su as 'root' suceeded"; content: "su root"; content: "succeeded for root"; classtype: successful-admin; program: su; reference: url,wiki.quadrantsec.com/bin/view/Main/5000409; normalize: su; sid: 5000409; rev:2;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SU] root password change attempt"; content:"passwd"; content "root"; content:"HISTORY"; classtype: suspicious-command; program: -su|su; reference: url,wiki.quadrantsec.com/bin/view/Main/5002566; sid: 5002566; rev:1;) rules/vsftpd-geoip.rules0000664000175000017500000000463212612177151014647 0ustar champchamp# Sagan vsftpd-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD-GEOIP] Authentication successful from outside HOME_COUNTRY"; content: "OK LOGIN"; classtype: successful-user; program: vsftpd; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002387; sid:5002387; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD-GEOIP] File uploaded from outside HOME_COUNTRY"; content: "OK UPLOAD"; classtype: suspicious-traffic; country_code: track by_src, isnot $HOME_COUNTRY; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002388; sid:5002388; rev:1;) rules/windows-owa-brointel.rules0000664000175000017500000000410012612177151016320 0ustar champchamp# Sagan windows-owa-brointel.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-BROINTEL] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bro-intel: by_src; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002266; sid: 5002266; rev:1;) rules/vmware-normalize.rulebase0000664000175000017500000000364612612177151016213 0ustar champchamp# Sagan vmware-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: Accepted password for %username:word% from %src-ip:ipv4% rules/tcp.rules0000664000175000017500000000400712612177151013022 0ustar champchamp# Sagan tcp.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TCP Treason uncloaked"; content: "Treason uncloaked"; classtype: bad-unknown; program: TCP; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000031; sid: 5000031; rev:3;) rules/imperva-normalize.rulebase0000664000175000017500000000377312612177151016356 0ustar champchamp# Sagan imperva-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: act=Block dst=%dst-ip:ipv4% dpt=%src-port:number% duser=%username:word% src=%src-ip:ipv4% spt=%src-port:number% proto=%proto:word% %all:rest% rules/citrix.rules0000664000175000017500000022433412612177151013545 0ustar champchamp# Sagan citrix.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Netscaler rules - 07/30/2012 # Champ Clark III # Unfortunately, Netscalers populate the "program" field with the system date :( # We have to do a broad search for Netscaler event IDs. Lame. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action matched URL"; content: "ACTION_MATCH"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001200; sid: 5001200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation action didn't match URL"; content: "ACTION_MISMATCH"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001201; sid: 5001201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Request error. Generated 400 Response"; content: "AF_400_RESP"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001202; sid: 5001202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add a confidential field"; content: "AF_ADD_CFFIELD"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001203; sid: 5001203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw Field Type"; content: "AF_ADD_FIELDTYPE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001204; sid: 5001204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Add an AppFw profile"; content: "AF_ADD_PROFILE"; classtype: suspicious-traffic; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001205; sid: 5001205; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to HTML profile"; content: "AF_BIND_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001206; sid: 5001206; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw rule bound to XML profile"; content: "AF_BIND_XML_TO_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001207; sid: 5001207; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory allocation request failed"; content: "AF_MEMORY_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001208; sid: 5001208; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove a confidential field"; content: "AF_RM_CFFIELD"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001209; sid: 5001209; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an Appfw Field Type"; content: "AF_RM_FIELDTYPE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001210; sid: 5001210; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Remove an AppFw profile"; content: "AF_RM_PROFILE"; classtype: configuration-change; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001211; sid: 5001211; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Appsecure uthread a stack error"; content: "AF_UTHREAD_STACK_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001212; sid: 5001212; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module stopped an alarm"; content: "ALERTENDED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001213; sid: 5001213; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SNMP module alarm"; content: "ALERTSTARTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001214; sid: 5001214; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie"; content: "APPFW_BUFFEROVERFLOW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001215; sid: 5001215; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers"; content: "APPFW_BUFFEROVERFLOW_HDR"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001216; sid: 5001216; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Buffer Overflow violation in URL"; content: "APPFW_BUFFEROVERFLOW_URL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001217; sid: 5001217; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Cookie Consistency violation"; content: "APPFW_COOKIE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001218; sid: 5001218; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw CSRF tag violation"; content: "APPFW_CSRF_TAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001219; sid: 5001219; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw DenyURL violation"; content: "APPFW_DENYURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001220; sid: 5001220; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Consistency violation"; content: "APPFW_FIELDCONSISTENCY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001221; sid: 5001221; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Field Format violation"; content: "APPFW_FIELDFORMAT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001222; sid: 5001222; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw profile invoked"; content: "APPFW_POLICY_HIT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001223; sid: 5001223; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw built-in profile invoked"; content: "APPFW_POLICY_HIT_BUILTIN"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001224; sid: 5001224; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Referer header violation"; content: "APPFW_REFERER_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001225; sid: 5001225; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation"; content: "APPFW_SAFECOMMERCE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001226; sid: 5001226; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed"; content: "APPFW_SAFECOMMERCE_XFORM"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001227; sid: 5001227; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw Safe Object violation"; content: "APPFW_SAFEOBJECT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001228; sid: 5001228; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation"; content: "APPFW_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001229; sid: 5001229; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw StartURL violation"; content: "APPFW_STARTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001230; sid: 5001230; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Boundary mismatch in mime message"; content: "APPFW_XML_ATTACHMENT_ERR_BOUNDARY_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001231; sid: 5001231; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message"; content: "APPFW_XML_ATTACHMENT_ERR_CALLBACK_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001232; sid: 5001232; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type"; content: "APPFW_XML_ATTACHMENT_ERR_CONTENT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001233; sid: 5001233; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue"; content: "APPFW_XML_ATTACHMENT_ERR_INVALIDHEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001234; sid: 5001234; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)'"; content: "APPFW_XML_ATTACHMENT_ERR_INVALID_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001235; sid: 5001235; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size"; content: "APPFW_XML_ATTACHMENT_ERR_MAX_SIZE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001236; sid: 5001236; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attachment Found in the XML Message"; content: "APPFW_XML_ATTACHMENT_FOUND"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001237; sid: 5001237; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Send Fail Error"; content: "APPFW_XML_DDOS_ERR_MSG_SEND_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001238; sid: 5001238; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max character data length"; content: "APPFW_XML_DOS_ERR_CHAR_DATA_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001239; sid: 5001239; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - DTD present in the XML message"; content: "APPFW_XML_DOS_ERR_DTD"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001240; sid: 5001240; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - External entities present in the XML message"; content: "APPFW_XML_DOS_ERR_EXT_ENTITY"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001241; sid: 5001241; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DoS Maximum Error"; content: "APPFW_XML_DOS_ERR_MAX"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001242; sid: 5001242; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum attributes per element"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123876; reference: url,wiki.quadrantsec.com/bin/view/Main/5001243; sid: 5001243; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element an attribute exceeds maximum name length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001244; sid: 5001244; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element attribute exceeds maximum attribute value length"; content: "APPFW_XML_DOS_ERR_MAX_ATTRIBUTE_VALUE_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001245; sid: 5001245; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum elements per message"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENTS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001246; sid: 5001246; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Parent of element exceed maximum children"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_CHILDREN"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001247; sid: 5001247; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element depth"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001248; sid: 5001248; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum element name length"; content: "APPFW_XML_DOS_ERR_MAX_ELEMENT_NAME_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001249; sid: 5001249; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max number of entity expansions"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSIONS"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001250; sid: 5001250; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Exceeds max entity expansion depth"; content: "APPFW_XML_DOS_ERR_MAX_ENTITY_EXPANSION_DEPTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001251; sid: 5001251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size exceeds max size"; content: "APPFW_XML_DOS_ERR_MAX_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001252; sid: 5001252; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element exceeds maximum active namespaces"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001253; sid: 5001253; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - In element a namespace exceeds maximum URI length"; content: "APPFW_XML_DOS_ERR_MAX_NAMESPACEURI_LENGTH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001254; sid: 5001254; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Node exceeds maximum nodes per message"; content: "APPFW_XML_DOS_ERR_MAX_NODES"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001255; sid: 5001255; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message size less than min size"; content: "APPFW_XML_DOS_ERR_MIN_FILE_SIZE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001256; sid: 5001256; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Processing instructions present in the XML message"; content: "APPFW_XML_DOS_ERR_PI"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001257; sid: 5001257; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal error"; content: "APPFW_XML_ERR_CUSTOM"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001258; sid: 5001258; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed"; content: "APPFW_XML_ERR_DDOS_CONNECT_TO_SERVER_FAILED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001259; sid: 5001259; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed"; content: "APPFW_XML_ERR_DDOS_INTERATION_SOCKET_OPEN_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001260; sid: 5001260; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Invalid Config File"; content: "APPFW_XML_ERR_DDOS_INVALID_CONFIG_FILE"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001261; sid: 5001261; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path"; content: "APPFW_XML_ERR_DDOS_NO_FOLDER_INSTALLATION_PATH"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001262; sid: 5001262; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File"; content: "APPFW_XML_ERR_DDOS_OPEN_CONFIG_FILE_FAIL"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001263; sid: 5001263; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Denial of Service Error"; content: "APPFW_XML_ERR_DOS_TRIGGERED"; classtype: attempted-dos; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001264; sid: 5001264; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Environment variable QTHOME not set"; content: "APPFW_XML_ERR_ENV_NOT_SET"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001265; sid: 5001265; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems inserting a namespace into the hash table"; content: "APPFW_XML_ERR_HASH_INSERT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001266; sid: 5001266; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems getting the key of a namespace from the hash table"; content: "APPFW_XML_ERR_HASH_LOOKUP"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001267; sid: 5001267; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to initialize XML tokenizer"; content: "APPFW_XML_ERR_INITIALIZING_TOKENIZER"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001268; sid: 5001268; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to open the file"; content: "APPFW_XML_ERR_INVALID_FILE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001269; sid: 5001269; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Internal State Invalid"; content: "APPFW_XML_ERR_INVALID_STATE"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001270; sid: 5001270; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid XPath"; content: "APPFW_XML_ERR_INVALID_XPATH"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001271; sid: 5001271; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Low memory"; content: "APPFW_XML_ERR_LOW_MEMORY"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001272; sid: 5001272; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Malformed address"; content: "APPFW_XML_ERR_MALFORMED_ADDRESS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001273; sid: 5001273; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message is not a well-formed XML"; content: "APPFW_XML_ERR_NOT_WELLFORMED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001274; sid: 5001274; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid"; content: "APPFW_XML_ERR_NO_ATTACHMENT_BOUNDARY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001275; sid: 5001275; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments"; content: "APPFW_XML_ERR_NO_DIME"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001276; sid: 5001276; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems registering callbacks for operations"; content: "APPFW_XML_ERR_OPERATION_CALLBACK"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001277; sid: 5001277; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix length exceeded"; content: "APPFW_XML_ERR_PREFIX_LENGTH_EXCEEDED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001278; sid: 5001278; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Read Failure"; content: "APPFW_XML_ERR_READ_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001279; sid: 5001279; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message contains SOAP Fault"; content: "APPFW_XML_ERR_SOAP_FAULT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001280; sid: 5001280; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during pop of the node out of the XML stream"; content: "APPFW_XML_ERR_STREAM_POP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001281; sid: 5001281; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Problems during push of the node into the XML stream"; content: "APPFW_XML_ERR_STREAM_PUSH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001282; sid: 5001282; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port in address is greater than 65535"; content: "APPFW_XML_ERR_UNSUPPORTED_PORT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001283; sid: 5001283; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unsupported protocol"; content: "APPFW_XML_ERR_UNSUPPORTED_PROTOCOL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001284; sid: 5001284; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Failed"; content: "APPFW_XML_ERR_VALIDATION_FAILED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001285; sid: 5001285; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Context is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001286; sid: 5001286; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Context user state is NULL - Internal error"; content: "APPFW_XML_PACKET_PROCESSING_ERR_CONTEXT_STATE_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001287; sid: 5001287; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Message config struct is NULL"; content: "APPFW_XML_PACKET_PROCESSING_ERR_MESSAGE_CONFIG_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001288; sid: 5001288; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log"; content: "APPFW_XML_SOAP_FAULT_CONTENTS"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001289; sid: 5001289; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw SQL Injection violation in XML"; content: "APPFW_XML_SQL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001290; sid: 5001290; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract element"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001291; sid: 5001291; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cannot instantiate abstract type"; content: "APPFW_XML_VALIDATION_ERR_ABSTRACT_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001292; sid: 5001292; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Additional soap header present in soap message"; content: "APPFW_XML_VALIDATION_ERR_ADDHEADERS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001293; sid: 5001293; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute appears more than once in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MAX_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001294; sid: 5001294; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Required attribute missing in element"; content: "APPFW_XML_VALIDATION_ERR_ATTRIBUTE_MIN_OCCURS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001295; sid: 5001295; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001296; sid: 5001296; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Content model of element not satisfied"; content: "APPFW_XML_VALIDATION_ERR_CONTENT_MODEL_VIOLATED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001297; sid: 5001297; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Compiled WSDL file is corrupt"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001298; sid: 5001298; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error compiling the schema"; content: "APPFW_XML_VALIDATION_ERR_CORRUPT_SCHEMA"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001299; sid: 5001299; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Initialization of the data type engine failed"; content: "APPFW_XML_VALIDATION_ERR_DATATYPE_ENGINE_INIT"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001300; sid: 5001300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Internal corruption of WSDL in-memory structure"; content: "APPFW_XML_VALIDATION_ERR_INTERNAL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001301; sid: 5001301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001302; sid: 5001302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid configuration for soap validation"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMBINATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001303; sid: 5001303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open compiled WSDL"; content: "APPFW_XML_VALIDATION_ERR_INVALID_COMPILED_WSDL"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001304; sid: 5001304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element has invalid content model"; content: "APPFW_XML_VALIDATION_ERR_INVALID_CONTENT_MODEL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001305; sid: 5001305; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Data type is invalid"; content: "APPFW_XML_VALIDATION_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001306; sid: 5001306; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001307; sid: 5001307; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Not able to open the file"; content: "APPFW_XML_VALIDATION_ERR_INVALID_FILE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001308; sid: 5001308; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Did not get expected type for element"; content: "APPFW_XML_VALIDATION_ERR_INVALID_TYPE_SUBSTITUTION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001309; sid: 5001309; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unable to load validation engine"; content: "APPFW_XML_VALIDATION_ERR_LOADING"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001310; sid: 5001310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Max Error"; content: "APPFW_XML_VALIDATION_ERR_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001311; sid: 5001311; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Service URL is not present or NULL"; content: "APPFW_XML_VALIDATION_ERR_NOSERVICEURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001312; sid: 5001312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Feature not supported"; content: "APPFW_XML_VALIDATION_ERR_NOT_SUPPORTED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001313; sid: 5001313; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Trying to pop from an empty stack"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001314; sid: 5001314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Level of recursion more than maximum allowed depth"; content: "APPFW_XML_VALIDATION_ERR_REX_STACK_OVERFLOW"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001315; sid: 5001315; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request"; content: "APPFW_XML_VALIDATION_ERR_SOAPBODY_EMPTY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001316; sid: 5001316; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Body structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_BODY"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001317; sid: 5001317; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Envelope structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_ENVELOPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001318; sid: 5001318; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Soap Header structure check failed"; content: "APPFW_XML_VALIDATION_ERR_SOAP_HEADER"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001319; sid: 5001319; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Prefix is unbounded"; content: "APPFW_XML_VALIDATION_ERR_UNBOUNDED_PREFIX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001320; sid: 5001320; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot be nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_CONTENTS_CANNOT_BE_NIL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001321; sid: 5001321; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element is nil"; content: "APPFW_XML_VALIDATION_LOAD_ERR_NIL_WITH_CONTENTS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001322; sid: 5001322; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_DATATYPE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001323; sid: 5001323; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Element cannot appear at this location"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_ELEMENT_INVALID_LOCATION"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001324; sid: 5001324; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Facet mismatch"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FACET_MISMATCH"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001325; sid: 5001325; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validator Load Failed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_FAILED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001326; sid: 5001326; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Attribute has invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_ATTRIBUTE_VALUE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001327; sid: 5001327; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema data type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_DATATYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001328; sid: 5001328; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Invalid schema node type"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_SCHEMA_NODE_TYPE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001329; sid: 5001329; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Value does not match FIXED constraint"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_INVALID_VALUE_FOR_FIXED"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001330; sid: 5001330; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is greater than max allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_GT_MAX"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001331; sid: 5001331; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is invalid"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_INVALID"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001332; sid: 5001332; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - List length is lesser than min allowed"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_LIST_LENGTH_LT_MIN"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001333; sid: 5001333; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML Validation Maximum Load Error"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_MAX"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001334; sid: 5001334; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Missing require attribute in element"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_REQUIRED_ATTRIBUTE"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001335; sid: 5001335; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled Schema is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_SCHEMA_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001336; sid: 5001336; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error code in the compiled WSDL is being ignored"; content: "APPFW_XML_VALIDATOR_LOAD_ERR_WSDL_COMPILATION"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001337; sid: 5001337; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI Internal Context NULL"; content: "APPFW_XML_WSI_ERR_CTXT_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001338; sid: 5001338; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI HTTP Error"; content: "APPFW_XML_WSI_ERR_HTTP"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001339; sid: 5001339; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Resource id of deployment is NULL"; content: "APPFW_XML_WSI_ERR_NODEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001340; sid: 5001340; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Port URL is NULL"; content: "APPFW_XML_WSI_ERR_NOPORTURL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001341; sid: 5001341; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Deployed resource is not WSDL"; content: "APPFW_XML_WSI_ERR_NOWSDLDEPLOYED"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001342; sid: 5001342; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML WSI List Null"; content: "APPFW_XML_WSI_ERR_WSI_LIST_NULL"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001343; sid: 5001343; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during initialization"; content: "APPFW_XML_XSD_COMPILE_INIT_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001344; sid: 5001344; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile"; content: "APPFW_XML_XSD_COMPILE_LOADXSD_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001345; sid: 5001345; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - No XSModel to print"; content: "APPFW_XML_XSD_COMPILE_NOMODEL_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001346; sid: 5001346; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Error during parsing"; content: "APPFW_XML_XSD_COMPILE_PARSE_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001347; sid: 5001347; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unexpected exception during parsing"; content: "APPFW_XML_XSD_COMPILE_UNEXPECTED_ERR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001348; sid: 5001348; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation in XML"; content: "APPFW_XML_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001349; sid: 5001349; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AppFw XSS violation"; content: "APPFW_XSS"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001350; sid: 5001350; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response body"; content: "BODY_FRAG"; classtype: web-application-attack; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001351; sid: 5001351; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush starts"; content: "CACHESTARTFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001352; sid: 5001352; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Cache flush is complete"; content: "CACHESTOPFLUSH"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001353; sid: 5001353; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed"; content: "CLISEC_CHECK"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001354; sid: 5001354; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False"; content: "CLISEC_EXP_EVAL"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001355; sid: 5001355; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler"; content: "CMD_EXECUTED"; classtype: system-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001356; sid: 5001356; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Completed reading the configuration from ns.conf file"; content: "CONFIGEND"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001357; sid: 5001357; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Read the configuration from ns.conf file"; content: "CONFIGSTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001358; sid: 5001358; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "CONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001359; sid: 5001359; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - TCP connection terminated"; content: "CONN_TERMINATE"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001360; sid: 5001360; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The input URL before rewriting"; content: "CVPN_INPUT_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001361; sid: 5001361; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The matched URL"; content: "CVPN_MATCHED_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001362; sid: 5001362; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - PCRE Error"; content: "CVPN_PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001363; sid: 5001363; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - The rewritten URL"; content: "CVPN_REWRITTEN_URL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001364; sid: 5001364; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is down"; content: "DEVICEDOWN"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001365; sid: 5001365; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is out of service"; content: "DEVICEOFS"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001366; sid: 5001366; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Device is up"; content: "DEVICEUP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001367; sid: 5001367; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - After a user logs in the group for the user has been extracted"; content: "EXTRACTED_GROUPS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001368; sid: 5001368; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation profile invoked"; content: "FILE_REQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001369; sid: 5001369; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Bad memory is freed (internal error)"; content: "FREEBADMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001370; sid: 5001370; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Duplicate memory free occurs (internal error)"; content: "FREEDUPMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001371; sid: 5001371; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Memory is freed from a wrong pool (internal error)"; content: "FREEEXTMEM"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001372; sid: 5001372; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A SSLVPN session receives a HTTP request"; content: "HTTPREQUEST"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001373; sid: 5001373; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A http resource access is denied by policy engine"; content: "HTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001374; sid: 5001374; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application has terminated"; content: "ICAEND_CONNSTAT"; parse_src_ip: 1; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001375; sid: 5001375; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - ICA application launch has started"; content: "ICASTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001376; sid: 5001376; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN license limit reached"; content: "LICLMT_REACHED"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001377; sid: 5001377; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN login succeeds"; content: "LOGIN "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001378; sid: 5001378; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - AAA module failed to login the user"; content: "LOGIN_FAILED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001521; sid: 5001521; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5]"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001379; sid: 5001379; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN session logs out."; content: "LOGOUT "; classtype: successful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001380; sid: 5001380; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is down"; content: "MONITORDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001381; sid: 5001381; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service has hit threshold limit"; content: "MONITORTH"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001382; sid: 5001382; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Monitor bound to the service is up"; content: "MONITORUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001383; sid: 5001383; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is in hung state"; content: "NICHANG"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001384; sid: 5001384; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is less than the min required"; content: "NICLOW_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001385; sid: 5001385; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface is bound or unbound from a channel"; content: "NICMIGRATE"; classtype: network-event ; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001386; sid: 5001386; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Interface's throughput is equal or greater than the min required"; content: "NICNORMAL_THROUGHPUT"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001387; sid: 5001387; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is reset"; content: "NICRESET"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001388; sid: 5001388; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is started"; content: "NICSTART"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001389; sid: 5001389; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Network interface is stopped"; content: "NICSTOP"; classtype: hardware-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001390; sid: 5001390; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - A non-http resource access is denied by policy engine"; content: "NONHTTP_RESOURCEACCESS_DENIED"; classtype: unsuccessful-user; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001391; sid: 5001391; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Server side and a client side TCP connection is delinked"; content: "OTHERCONN_DELINK"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001392; sid: 5001392; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with PID is being restarted"; content: "PB_PROCESS_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001393; sid: 5001393; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Process with pid has reached maximum number of restarts"; content: "PB_SYSTEM_RESTART"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001394; sid: 5001394; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation regex error"; content: "PCRE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001395; sid: 5001395; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID"; content: "PITBOSS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001396; sid: 5001396; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation fails"; content: "PROPFAIL"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001397; sid: 5001397; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA propagation is successful"; content: "PROPSUCCESS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001398; sid: 5001398; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a request header"; content: "REQ_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001399; sid: 5001399; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation parsing error"; content: "REQ_PARSE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001400; sid: 5001400; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation error in a request header"; content: "REQ_WRITE_ERROR"; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001401; sid: 5001401; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - URL Transformation in a response header"; content: "RESP_HEADER"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001402; sid: 5001402; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is down"; content: "ROUTEDOWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001403; sid: 5001403; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route is up"; content: "ROUTEUP"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001404; sid: 5001404; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Advertised"; content: "ROUTE_ADVERTISED"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001405; sid: 5001405; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA state change"; content: "ROUTE_HASTATE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001406; sid: 5001406; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Relearnt"; content: "ROUTE_RELEARN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001407; sid: 5001407; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Route Withdrawn"; content: "ROUTE_WITHDRAWN"; classtype: network-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001408; sid: 5001408; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Certificate Expiry Imminent"; content: "SSL_CERT_EXPIRY_IMMINENT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001409; sid: 5001409; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Failure"; content: "SSL_CRL_UPDATE_FAILURE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001410; sid: 5001410; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL CRL Update Success"; content: "SSL_CRL_UPDATE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001411; sid: 5001411; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Failure"; content: "SSL_HANDSHAKE_FAILURE"; classtype: network-event; parse_src_ip: 1; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001412; sid: 5001412; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate IssueName"; content: "SSL_HANDSHAKE_ISSUERNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001413; sid: 5001413; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Client Certificate SubjectName"; content: "SSL_HANDSHAKE_SUBJECTNAME"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001414; sid: 5001414; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSL Handshake Success"; content: "SSL_HANDSHAKE_SUCCESS"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001415; sid: 5001415; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - CPU started"; content: "STARTCPU"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001416; sid: 5001416; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration started"; content: "STARTSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001417; sid: 5001417; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System Started"; content: "STARTSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001418; sid: 5001418; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - HA State has changed"; content: "STATECHANGE"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001419; sid: 5001419; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - SSLVPN and the group for the user has been extracted"; content: "STA_VALIDATE_RESP"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001420; sid: 5001420; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Save configuration has stopped"; content: "STOPSAVECONFIG"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001421; sid: 5001421; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - System stopped"; content: "STOPSYS"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001422; sid: 5001422; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Logged TCP connection related information"; content: "TCPCONNSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001423; sid: 5001423; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - An SSLVPN connection timed out"; content: "TCPCONN_TIMEDOUT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001424; sid: 5001424; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - UDP flow"; content: "UDPFLOWSTAT"; classtype: not-suspicious; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001425; sid: 5001425; rev:1;) # Triggers on non-citrix related events #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - Unknown Error"; content: " UNKNOWN "; classtype: program-error; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001426; sid: 5001426; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to down"; content: "VIPRHIDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001427; sid: 5001427; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - RHI state of VIP changes to up"; content: "VIPRHIUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001428; sid: 5001428; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRID6DOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001429; sid: 5001429; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to backup"; content: "VRIDDOWN"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001430; sid: 5001430; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to INIT"; content: "VRIDINIT"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001431; sid: 5001431; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CITRIX] Netscaler - VRID changes state to master"; content: "VRIDUP"; classtype: system-event; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5001432; sid: 5001432; rev:1;) rules/hostapd.rules0000664000175000017500000001044112612177151013675 0ustar champchamp# Sagan hostapd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Possible downgrade attack"; program: hostapd; content: "downgrade attack"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001041; sid: 5001041; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Possible downgrade attack"; program: hostapd; content: "TLSv1"; content: "Failed to decrypt"; classtype: unsuccessful-user ; reference: url, wiki.quadrantsec.com/bin/view/Main/5001042; sid: 5001042; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] UPnP DoS excessive addresses [DoS]"; program: hostapd; content: "UPnP"; content: "Ignoring excessive addresses"; classtype: attempted-dos; reference: url, wiki.quadrantsec.com/bin/view/Main/5001043; sid: 5001043; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] Radius - Starting accounting session"; program: hostapd; content: "RADIUS"; content: "starting accounting session"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001044; sid: 5001044; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] WPA pairwise key handshake complete"; program: hostapd; content: "WPA"; content: "pairwise key handshake completed"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001045; sid: 5001045; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - Disassociated"; program: hostapd; content: "IEEE 802.11"; content: "disassociated"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001046; sid: 5001046; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - Associated"; program: hostapd; content: "IEEE 802.11"; content: " associated"; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001047; sid: 5001047; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] WPA - group key handshake complete [RSN]"; program: hostapd; content: "WPA"; content: "group key handshake completed"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001048; sid: 5001048; rev: 1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HOSTAPD] IEEE 802.11 - deauthenticated due to local deauth request"; program: hostapd; content: "IEEE 802.11"; content: "deauthenticated due to local deauth request"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001049; sid: 5001049; rev: 1;) rules/pure-ftpd.rules0000664000175000017500000000753012612177151014146 0ustar champchamp# Sagan pure-ftpd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] New FTP connection"; content: "[INFO] New connection from"; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000216; sid: 5000216; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; classtype: unsuccessful-user; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000217; sid: 5000217; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] FTP user logout or timeout"; pcre: "/[INFO] Logout|[INFO] Timeout/"; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000219; sid: 5000219; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] FTP notice message"; content: "[NOTICE]"; classtype: program-error; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000220; sid: 5000220; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] Attempting to access invalid directory"; content: "[INFO] Can't change directory to"; classtype: suspicious-filename-detect; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000221; sid: 5000221; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PUREFTPD] FTP Authentication successful"; pcre: "/[INFO] \S+ is now logged in/"; classtype: successful-user; program: pure-ftpd; reference : url,wiki.quadrantsec.com/bin/view/Main/5000222; sid: 5000222; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[PUREFTPD] User logged into an disabled account"; pcre: "/[INFO] \S+ is now logged in/";; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000414; program: sshd; sid: 5000414; rev:2;) rules/vmware-geoip.rules0000664000175000017500000000547612612177151014651 0ustar champchamp# Sagan vmware-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; pcre: "/Accepted password for|login from/i"; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002381; sid:5002381; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful from outside HOME_COUNTRY"; content: " logged in "; classtype: successful-admin; program: Hostd; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002382; sid:5002382; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-GEOIP] User login successful"; content: "Accepted password"; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; program: Hostd; normalize: vmware; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002383; sid:5002383; rev:1;) rules/dns-normalize.rulebase0000664000175000017500000000432012612177151015464 0ustar champchamp# Sagan dns-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: client %src-ip:ipv4%#%src-port:number%: update '%-:char-to:\x27%' denied rule=: client %src-ip:ipv4%#%src-port:number%: query (cache) '%-:char-to:\x27%' denied rule=: unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% rule=: error (unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number% rules/vmpop3d.rules0000664000175000017500000000403712612177151013627 0ustar champchamp# Sagan vmpop3d.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[VMPOP3D] Authentication failure for POP3"; content: "failed auth"; classtype: unsuccessful-user; program: vm-pop3d; reference: url,wiki.quadrantsec.com/bin/view/Main/5000215; sid: 5000215; rev:3;) rules/ssh-tectia-server-correlated.rules0000664000175000017500000000435212612177151017731 0ustar champchamp# Sagan ssh-tectia-server-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER-CORRELATED] Authentication success after suspicious activity"; content: "Login_success"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002380; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; sid:5002380; rev:1;) rules/courier-geoip.rules0000664000175000017500000000623712612177151015014 0ustar champchamp# Sagan courier-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Authentication failure from outside HOME_COUNTRY"; content: "LOGIN FAILED,"; parse_src_ip: 1; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002394; sid:5002394; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Logout/disconnect from outside HOME_COUNTRY"; pcre: "/LOGOUT|DISCONNECTED/"; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002395; sid:5002395; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] User login from outside HOME_COUNTRY"; content: "LOGIN,"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002396; sid:5002396; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-GEOIP] Timeout from outside HOME_COUNTRY"; content: "TIMEOUT"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002397; sid:5002397; rev:1;) rules/ossec.rules0000664000175000017500000001326512612177151013356 0ustar champchamp# Sagan ossec.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Agent started"; content: "Agent started"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000285; sid: 5000285; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ossec started"; content: "Ossec started"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000287; sid: 5000287; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Agent disconnect"; content: "Agent disconnected"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000288; sid: 5000288; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignored common NTFS ADS entries"; pcre: "/Zone.Identifier|Exchsrvrr/Mailroot|vsi|encryptable/i"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000289; sid: 5000289; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Audit"; content: "Windows Audit"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000290; sid: 5000290; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Malware"; content: "Windows Malware"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000291; sid: 5000291; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows application monitor event"; content: "Application Found"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000292; sid: 5000292; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignoring rootcheck/syscheck scan messages"; pcre: "/^Starting rootcheck scan|^Ending rootcheck scan|^Starting syscheck scan|^Ending syscheck scan/i"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000293; sid: 5000293; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] System Audit"; content: "System Audit"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000294; sid: 5000294; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Windows Adware/Spyware application found"; pcre: "/Adware|Spyware/i"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000295; sid: 5000295; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Partition usage reached 100% [disk space monitor]"; content: "output"; content: "dh -h"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000296; sid: 5000296; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Ignoring external medias"; pcre: "/\/cdrom|\/media|usb|\/mount|floppy|dvd/"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000297; sid: 5000297; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Integrity checksum for agentless device changed"; content: "agentless"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000298; sid: 5000298; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Log file rotated"; content: "File rotated"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000299; sid: 5000299; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] File size reduced"; content: "File size reduced"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000300; sid: 5000300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Microsoft event log cleared"; content: "Event log cleared"; classtype: system-event; program: ossec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000301; sid: 5000301; rev:1;) rules/attack.rules0000664000175000017500000000755312612177151013514 0ustar champchamp# Sagan attack.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Buffer overflow attempt on rpc.statd"; pcre: "/gethostbyname error for \W+/"; classtype: exploit-attempt; program: rpc.statd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000095; sid:5000095; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Buffer overflow attempt on WU-FTPD version prior to 2.6" ; pcre: "/\S+ FTP LOGIN FROM \.+ 0bin0sh/"; classtype: exploit-attempt; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000096; sid:5000096; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt"; content: "?????????????????????"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000097; sid:5000097; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] 'Null' user change some information"; content: "changed by"; content: "null"; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000098; sid:5000098; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt [yppasswd?]" ; content: "@@@@@@@@@@@@@@@@@@@@@@@@@"; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000356; sid:5000365; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Heap overflow in the Solaris cachefsd service" ; content: "Segmentation Fault"; content: "core dumped"; program: cachefsd; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000366; sid:5000366; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Stack overflow attempt with SEGV [Solaris]"; content: "attempt to execute code on stack by"; nocase; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5000099; sid:5000099; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ATTACK] Possible buffer overflow attempt [NOOP]" ; content: "AAAAAAAAAAAAAAAAAAAAAAAAA"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000100; sid:5000100; rev:1;) rules/windows-auth.rules0000664000175000017500000014731212612177151014674 0ustar champchamp# Sagan windows-auth.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows authentication rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1]"; content: " 529|3a| "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; flowbits: set,brute_force,86400; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001151; sid: 5001151; rev:13;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Unknown username or bad password"; content: " 529|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001531; sid: 5001531; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account login time restriction"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001152; sid: 5001152; rev:4;) # We only want disabled users that contain usernames, hence the content:! on sid 5001153. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account currently disabled [0/1]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001153; sid: 5001153; rev:9;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001154; sid: 5001154; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001155; sid: 5001155; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - User not granted login type"; content: " 534|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001156; sid: 5001156; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account password is expired"; content: " 535|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001157; sid: 5001157; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Internal error"; pcre: "/ 536: | 537: /"; classtype: unsuccessful-user; program: Security*; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 2, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001158; sid: 5001158; rev:7;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Login failure - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; threshold: type limit, track by_src, count 1, seconds 300; parse_src_ip: 1; parse_port; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001159; sid: 5001159; rev:9;) # See 681 & 4769 for subcodes #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001160; sid: 5001160; rev:10;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account unlocked"; pcre: "/ 671: | 4767: /"; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001161; sid: 5001161; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group created"; pcre: "/ 631: | 635: | 658: | 4727: | 4731: | 4754: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001162; sid: 5001162; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group deleted"; pcre: "/ 634: | 638: | 662: | 4730: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001163; sid: 5001163; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account created"; pcre: "/ 631: | 4727: | 635: | 4731: | 658: | 4754: | 648: | 4744: | 653: | 4749: | 663: | 4759: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001164; sid: 5001164; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account deleted"; pcre: "/ 634: | 4730: | 638: | 4734: | 662: | 4758: | 652: | 4748: | 657: | 4753: | 667: | 4763: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001165; sid: 5001165; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Group account changed"; pcre: "/ 632: | 4728: | 633: | 4729: | 636: | 4732: | 637: | 4733: | 639: | 4735: | 641 | 4737: | 637: | 4733: | 659: | 4755: | 660: | 4766: | 668: | 4764: | 649: | 4745: | 650: | 4746: | 651: | 4747: | 654: | 4750: | 655: | 4751: | 656: | 4752: | 659: | 4755: | 660: | 4756: | 661: | 4757: | 664: | 4760: | 665: | 4761: | 666: | 4762: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001475; sid: 5001475; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member added"; pcre: "/ 632: | 4728: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001166; sid: 5001166; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group member removed"; pcre: "/ 633: | 4729: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001167; sid: 5001167; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group deleted"; pcre: "/ 634: | 4730: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001168; sid: 5001168; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group created"; pcre: "/ 635: | 4731: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001169; sid: 5001169; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member added"; pcre: "/ 636: | 4732: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001170; sid: 5001170; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group member removed"; pcre: "/ 637: | 4733: /"; classtype: system-eventr; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001171; sid: 5001171; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group deleted"; pcre: "/ 638: | 4734: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001172; sid: 5001172; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled local group changed"; pcre: "/ 639: | 4735: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001173; sid: 5001173; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group changed"; pcre: "/ 641: | 4737: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001174; sid: 5001174; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group created"; pcre: "/ 658: | 4754: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001176; sid: 5001176; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group changed"; pcre: "/ 659: | 4755: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001177; sid: 5001177; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled universal group member added"; pcre: "/ 660: | 4756: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001178; sid: 5001178; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member removed"; pcre: "/ 661: | 4757: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001179; sid: 5001179; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled group member deleted"; pcre: "/ 662: | 4758: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001180; sid: 5001180; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RDP maximum allowed failed logon attempts"; content: " 1012|3a| "; classtype: system-event; program: TermService; reference: url,wiki.quadrantsec.com/bin/view/Main/5001181; sid: 5001181; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows login attempt (ignored). Duplicated"; content: " 680|3a| "; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001186; sid: 5001186; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login failure"; pcre: "/ 20187: | 20014: | 20078: | 20050: | 20049: | 20189: /"; classtype: unsuccessful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001187; sid: 5001187; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote access login success"; content: " 20158|3a| "; classtype: successful-user; program: RemoteAccess; reference: url,wiki.quadrantsec.com/bin/view/Main/5001188; sid: 5001188; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001189; sid: 5001189; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Computer account changed/deleted"; pcre: "/ 646: | 647: | 4742: | 4743: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid: 5001190; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out [multiple login errors] [0/1]"; pcre: "/ 644: | 4740: /"; threshold: type limit, track by_src, count 1, seconds 300; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001192; sid: 5001192; rev:7;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] General account database changed"; content: " 640|3a| "; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001193; sid: 5001193; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Integrity check on decrypted"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x1F"; classtype: exploit-attempt; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001195; sid: 5001195; rev:6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Possible replay attack"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x22"; classtype: exploit-attempt; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001196; sid: 5001196; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] DC - Clock skew too great"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: "Failure Code|3a| 0x25"; threshold: type limit, track by_src, count 1, seconds 86400; classtype: exploit-attempt; parse_src_ip: 1; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001197; sid: 5001197; rev:7;) # Tied to SIDs. #if_sid 18207,18208 - see msauth rules. Sagan can do the same, rules just need to be written. # Same with "Kerberos failures that may indicate an attack" # #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Administrator group changed"; pcre: "/ ID:\s+\p*S-1-5-32-544\p*/"; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/XXXXXXX; sid: XXXXXXX; rev:3;) # 09/18/2012 Sniffty Dugen #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Attempted Password Reset"; pcre: "/ 628: | 4724: /"; classtype: configuration-change; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001620; sid:5001620; rev:4;) # Generic "catch all" for event ID 6273 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5]"; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001648; sid: 5001648; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1]"; content: " 6273|3a| "; content: "Reason Code: 16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001657; sid: 5001657; rev:7;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password"; content: "Reason Code|3a| 16 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001658; sid: 5001658; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User account does not exist"; content: "Reason Code|3a| 8 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001659; sid: 5001659; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Domain does not exist"; content: "Reason Code|3a| 7 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001660; sid: 5001660; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] No matching newtork policy"; content: "Reason Code|3a| 48 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001661; sid: 5001661; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] RADIUS Access-Request message is disabled"; content: "Reason Code|3a| 34 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001662; sid: 5001662; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] User much change password"; content: "Reason Code|3a| 33 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001663; sid: 5001663; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Remote RADIUS did not process auth request"; content: "Reason Code|3a| 112 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001664; sid: 5001664; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Incomplete message. Signature not verified"; content: "Reason Code|3a| 262 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001665; sid: 5001665; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] EAP type cannot be processed by server"; content: "Reason Code|3a| 22 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001666; sid: 5001666; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Error occured with EAP"; content: "Reason Code|3a| 23 "; content: " 6273|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001667; sid: 5001667; rev:4;) # Group change rules where typically to noisy and didn't supply the information # Needed. These rule detect "what" group a user was "added" to. This should # reduce the signal/noise ratio greatly. # # These where created by Robert Nunley (rnunley@quadrantsec.com) # Local group #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Local Administrator account added to a local group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-500 /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001692; sid: 5001692; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Network Config Operator group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-556 /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001693; sid: 5001693; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to DNS Admins group"; pcre: "/ 636: | 4732: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-1101 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001694; sid: 5001694; rev:4;) # Domain/global group alert syslog $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[WINDOWS-AUTH] User added to Domain Administrators group"; pcre: "/ 632: | 4728: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-512 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001695; sid: 5001695; rev:5;) # Enterprise/universal group alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Enterprise Administrators group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-519 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001696; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User added to Group Policy Creator Owner group"; pcre: "/ 660: | 4756: /"; pcre: "/S-1-5-21-\d{5,15}\-\d{5,15}\-\d{5,15}-520 /"; program: Security*; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001696; sid: 5001697; rev:5;) # User enabled alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account enabled"; pcre: "/ 626: | 4722: /"; content:!"$ Account Domain";|3a| "; content:!"$ Account Domain|3a| "; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001687; sid: 5001687; rev:7;) # User created #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created"; pcre: "/ 624: | 4720: /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001786; sid: 5001791; rev:4;) # Windows 2008 rules submitted by Robert Nunley (rnunley@quadrantsec.com) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001728; sid: 5001728; rev:14;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; content:!"Source Network Address|3a| -"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001729; sid: 5001729; rev:13;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001730; sid: 5001730; rev:9;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001731; sid: 5001731; rev:12;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001732; sid: 5001732; rev:10;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Account [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001733; sid: 5001733; rev:10;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows Brute force - Expired Password [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001734; sid: 5001734; rev:10;) # Windows authentication rules by code type. Submitted by Brian Echeverry #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001740; sid: 5001740; rev:8;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001741; sid: 5001741; rev:7;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001742; sid: 5001742; rev:7;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001743; sid: 5001743; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001744; sid: 5001744; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001745; sid: 5001745; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001746; sid: 5001746; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001747; sid: 5001747; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001748; sid: 5001748; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001749; sid: 5001749; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001750; sid: 5001750; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001751; sid: 5001751; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001752; sid: 5001752; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001753; sid: 5001753; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001754; sid: 5001754; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001755; sid: 5001755; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001756; sid: 5001756; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001757; sid: 5001757; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001758; sid: 5001758; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001759; sid: 5001759; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001760; sid: 5001760; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001761; sid: 5001761; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001762; sid: 5001762; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001763; sid: 5001763; rev:9;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001764; sid: 5001764; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001765; sid: 5001765; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001766; sid: 5001766; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001767; sid: 5001767; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001768; sid: 5001768; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001769; sid: 5001769; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001770; sid: 5001770; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001771; sid: 5001771; rev:6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001772; sid: 5001772; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001773; sid: 5001773; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001774; sid: 5001774; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001775; sid: 5001775; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001776; sid: 5001776; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001777; sid: 5001777; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001778; sid: 5001778; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001779; sid: 5001779; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001780; sid: 5001780; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001781; sid: 5001781; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001782; sid: 5001782; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001783; sid: 5001783; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001784; sid: 5001784; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001785; sid: 5001785; rev:5;) # Account "re-enabled" via flowbit (12/03/2013) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account created [FLOWBIT SET]"; pcre: "/ 624: | 4720: /"; program: Security*; classtype: successful-user; flowbits: set, created_enabled, 30; flowbits: noalert; reference: url,wiki.quadrantsec.com/bin/view/Main/5001880; sid: 5001880; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account re-enabled"; pcre: "/ 626: | 4722: /"; content:! "$" ;program: Security*; flowbits: isnotset, by_src, created_enabled; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001881; sid: 5001881; rev:4;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 02/21/2014 # Disabled by default. Possible flowbit rule canidate (?) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Account locked out (ADMINISTRATOR)"; pcre: "/ 644: | 4740: /"; content: "administrator"; nocase; classtype: unsuccessful-user; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001978; sid: 5001978; rev:2;) # You'll want to populate the "WINDOWS_DOMAINS" before enabling this rule. # Champ Clark - 03/03/2014 #alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Pass-The-Hash detected!"; pcre: "/ 4624: | 4625: /"; content: "Logon Type|3a| 3 "; content: "Authentication Package|3a| NTLM "; content:!"ANONYMOUS LOGON"; meta_content:!"Domain|3a| %sagan% ",$WINDOWS_DOMAINS; meta_nocase; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002017; reference: url, http://en.wikipedia.org/wiki/Pass_the_hash; sid: 5002017; rev:4;) # Records _all_ RDP sessions #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] RDP / Logon type 10"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002015; sid: 5002015; rev:2;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-AUTH] Logon attempt using explicit credentials"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002018; sid: 5002018; rev:3;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/08/2014 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account disabled"; pcre: "/ 629: | 4725: /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002213; sid: 5002213; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] User account deleted"; pcre: "/ 630: | 4726: /"; program: Security*; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002335; sid: 5002335; rev:2;) # Rule added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-AUTH] Security enabled global group created"; pcre: "/ 631: | 4727: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002403; sid: 5002403; rev:1;) rules/bonding.rules0000664000175000017500000001002612612177151013652 0ustar champchamp# Sagan bonding.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Interface is up"; content: "is now up"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001066; sid: 5001066; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Interface is down"; content: "is now down"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001067; sid: 5001067; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Link status down for active interface"; content: "link status down for"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001069; sid: 5001069; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Making interface the new active one"; content: "making interface"; content: "the new active one"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001070; sid: 5001070; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Interface is up and now the active interface"; content: "is up and now the active interface"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001071; sid: 5001071; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] ARP monitoring enabled"; content: "ARP monitoring set to"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001072; sid: 5001072; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Enslaving interface"; content: "enslaving"; content: "with an up link"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001073; sid: 5001073; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Released all slaves"; content: "released all slaves"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001074; sid: 5001074; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BONDING] Failed to get speed or duplex"; content: "failed to get speed/duplex"; classtype: network-event; program: kernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001075; sid: 5001075; rev:1;) rules/xinetd.rules0000664000175000017500000001272312612177151013533 0ustar champchamp# Sagan xinetd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Removing service"; content: "removing; classtype: system-event; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000256; sid: 5000256; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Starting service"; content: "Started working"; classtype: system-event; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000257; sid: 5000257; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Excessive number connections to a service"; content: "deactivating service"; nocase; classtype: attempted-dos; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000379; sid: 5000379; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[XINETD] Telnet connection from remote host"; content: "START"; content: "telnet"; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000247; sid: 5000247; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[XINETD] Telnet connection exit"; content: "EXIT"; content: "telnet"; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000248; sid: 5000248; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg: "[XINETD] POP3 connection from remote host"; content: "START"; content: "pop-3"; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000249; sid: 5000249; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg: "[XINETD] POP3 connection exit"; content: "EXIT"; content: "pop-3"; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000250; sid: 5000250; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[XINETD] IMAP2 connection from remote host"; content: "START"; content: "imap2"; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000251; sid: 5000251; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[XINETD] IMAP2 connection exit"; content: "EXIT"; content: "imap2"; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000252; sid: 5000252; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg: "[XINETD] POP3S [SSL] connection from remote host"; content: "START"; content: "pop3s"; classtype: not-suspicious; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000253; sid: 5000253; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg: "[XINETD] POP3S [SSL] connection exit"; content: "EXIT"; content: "pop3s"; classtype: not-suspicious; program: xinetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000254; sid: 5000254; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg: "[XINETD] POP3S [SSL] User login "; content: "USERID"; content: "pop3s"; classtype: successful-user; program: xinetd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000255; sid: 5000255; rev:2;) # courierpassd rules 10/11/2011 - Champ Clark alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[XINETD] Courierpassd|Poppassd - Old password is incorrect"; content: "old password"; classtype: unsuccessful-user; program: courierpassd|poppassd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001102; sid: 5001102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Courierpassd|Poppassd - Changed user password"; content: "changed POP3"; classtype: successful-user; program: courierpassd|poppassd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001103; sid: 5001103; rev:1;) rules/nfcapd.rules0000664000175000017500000003623512612177151013477 0ustar champchamp# Sagan nfcapd.rules # Copyright (c) 2009-2015, Quadrant Informat.AP...curity # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ############################################################################## # These rules are intended for the NetFlow protocol. This requires that your # system has "nfdump" tools install. In particular, the Quadrant modified # "nfdump", that allows the program "nfcapd" to receive, decode and send # to the Sagan FIFO. # # For more information see: # # https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow # Example log string sent to the FIFO from the modified "nfcapd": # source_ip: 10.10.0.1/80, destination_ip: 173.165.207.65/16464, protocol: UDP, duration: 5.400, flags: |.AP...|, tos: 0, packets: 312, bytes: 4222451716, last_time: 2013-11-30 01:10:24, vlan_src: 32767, vlan_dst: 0 # Possible IRC traffic alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6667, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001984; sid: 5001984; rev: 7;) # 6697 - IRC traffic alert tcp $HOME_NET any -> $EXTERNAL_NET 6697 (msg: "[NFCAPD] Possible IRC detected [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6697, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001985; sid: 5001985; rev: 8;) # 6660-6669, 7000 alert tcp $HOME_NET any -> $EXTERNAL_NET 6660 (msg: "[NFCAPD] Possible IRC - Port 6660 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6660, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001986; sid: 5001986; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6661 (msg: "[NFCAPD] Possible IRC - Port 6661 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6661, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001987; sid: 5001987; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6662 (msg: "[NFCAPD] Possible IRC - Port 6662 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6662, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001988; sid: 5001988; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6663 (msg: "[NFCAPD] Possible IRC - Port 6663 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6663, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001989; sid: 5001989; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6664 (msg: "[NFCAPD] Possible IRC - Port 6664 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6664, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001990; sid: 5001990; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6665 (msg: "[NFCAPD] Possible IRC - Port 6665 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6665, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001991; sid: 5001991; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6666 (msg: "[NFCAPD] Possible IRC - Port 6666 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6666, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001992; sid: 5001992; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6998 (msg: "[NFCAPD] Possible IRC - Port 6668 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6668, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001993; sid: 5001993; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6999 (msg: "[NFCAPD] Possible IRC - Port 6669 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6669, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001994; sid: 5001994; rev: 6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 7000 (msg: "[NFCAPD] Possible IRC - Port 7000 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/7000, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001995; sid: 5001995; rev: 6;) # SSH alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg: "[NFCAPD] PUSH/ACK Traffic Detected [5/5]"; program: nfcapd; normalize: nfcapd; content: "/22, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001996; sid: 5001996; rev: 7;) alert tcp $HOME_NET any -> $EXTERNAL_NET 2222 (msg: "[NFCAPD] PUSH/ACK Traffic Detected - Port 2222 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/2222, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001997; sid: 5001997; rev: 7;) # Telnet alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg: "[NFCAPD] Telnet Traffic Detected via PUSH/ACK [5/5]"; program: nfcapd; normalize: nfcapd; content: "/23, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001998; sid: 5001998; rev: 6;) # Bittorrent traffic via nfcapd - Robert Nunley 05/08/2015 alert tcp $HOME_NET any -> $EXTERNAL_NET 6881 (msg: "[NFCAPD] Possible BitTorrent - Port 6881 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6881, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002291; sid: 5002291; rev: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6882 (msg: "[NFCAPD] Possible BitTorrent - Port 6882 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6882, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002292; sid: 5002292; rev: 4;); alert tcp $HOME_NET any -> $EXTERNAL_NET 6883 (msg: "[NFCAPD] Possible BitTorrent - Port 6883 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6883, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002293; sid: 5002293; rev: 4;); alert tcp $HOME_NET any -> $EXTERNAL_NET 6884 (msg: "[NFCAPD] Possible BitTorrent - Port 6884 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6884, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002294; sid: 5002294; rev: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6885 (msg: "[NFCAPD] Possible BitTorrent - Port 6885 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6885, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002295; sid: 5002295; rev: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6886 (msg: "[NFCAPD] Possible BitTorrent - Port 6886 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6886, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002296; sid: 5002296; rev: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6887 (msg: "[NFCAPD] Possible BitTorrent - Port 6887 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6887, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002297; sid: 5002297; rev: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6888 (msg: "[NFCAPD] Possible BitTorrent - Port 6888 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6888, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002298; sid: 5002298; rev: 4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6889 (msg: "[NFCAPD] Possible BitTorrent - Port 6889 [5/5]"; program: nfcapd; normalize: nfcapd; content: "/6889, protocol|3a| TCP,"; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002299; sid: 5002299; rev: 4;) # Tor traffic via nfcapd - Robert Nunley 05/08/2015 alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg: "[NFCAPD] Possible TOR - Port 9001"; program: nfcapd; normalize: nfcapd; content: "/9001, protocol|3a| TCP,"; flowbits: set, tor_traffic, 15; flowbits: noalert; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; reference: url, wiki.quadrantsec.com/bin/view/Main/5002300; reference: url, torstatus.blutmagie.de; sid: 5002300; rev: 5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 9030 (msg: "[NFCAPD] Possible TOR - Port 9030 after Port 9001"; program: nfcapd; normalize: nfcapd; content: "/9030, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002301; reference: url, torstatus.blutmagie.de; sid: 5002301; rev: 5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "[NFCAPD] Possible TOR - Port 443 after Port 9001"; program: nfcapd; normalize: nfcapd; content: "/443, protocol|3a| TCP,"; flowbits: isset, by_src, tor_traffic; content:"flags|3a| |7c|.AP...|7c|,"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5002302; reference: url, torstatus.blutmagie.de; sid: 5002302; rev: 5;) rules/symantec-ems.rules0000664000175000017500000001303412612177151014641 0ustar champchamp# Sagan symantic-ems.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Successful login #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Authentication success"; content: "authenticated internal PGP Desktop"; parse_src_ip: 2; classtype: successful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001675; sid: 5001675; rev:2;) # Unsuccessful login #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Authentication failure"; content: "failed authentication for internal PGP Desktop"; parse_src_ip: 2; classtype: unsuccessful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001676; sid: 5001676; rev:2;) # Multiple login failures - Brute Force alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Multiple authentication failures"; content: "failed authentication for internal PGP Desktop"; content:!"null"; parse_src_ip: 2; classtype: unsuccessful-user; program: pgp/client; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001677; sid: 5001677; rev:3;) # Unsuccessful login #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Authorization failure"; content: "authorization failed for this operation"; parse_src_ip: 2; classtype: unsuccessful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001678; sid: 5001678; rev:2;) # Multiple login failures - Brute Force #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Multiple authorization failures"; content: "authorization failed for this operation"; parse_src_ip: 2; classtype: unsuccessful-user; program: pgp/client; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001679; sid: 5001679; rev:2;) # Encrypted Partition Mount Failure #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Encrypted partition mount failure"; content: "WDE Event"; content: "mount"; content: "failure"; classtype: hardware-event; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001680; sid: 5001680; rev:2;) # Error-regrouping - expired key #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Error regrouping - expired key"; content: "error while regrouping consumer"; content: "key has expired"; classtype: hardware-event; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001681; sid: 5001681; rev:2;) # Error-regrouping - cannot delete object #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Error regrouping - expired key"; content: "error while regrouping consumer"; content: "cannot delete derived object while source object"; classtype: hardware-event; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001682; sid: 5001682; rev:2;) # Error-reqrouping - bad parameters #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Error regrouping - bad parameters"; content: "error while regrouping consumer"; content: "bad parameters"; classtype: unsuccessful-user; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001683; sid: 5001683; rev:2;) # Failed to map user to a directory #alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] Failed to map user to a directory"; content: "failed to map consumer"; content: "to a directory"; classtype: unsuccessful-user; program: pgp/groupd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001684; sid: 5001684; rev:2;) # LDAP key error - name lookup failed alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"[SYMANTEC-EMS] LDAP key error - name lookup failed"; content: "error searching for key"; content: "LDAP"; content: "name lookup failed"; classtype: unsuccessful-user; program: pgp/client; reference: url,wiki.quadrantsec.com/bin/view/Main/5001685; sid: 5001685; rev:2;) rules/windows-bluedot.rules0000664000175000017500000010717412612177151015373 0ustar champchamp# Sagan windows-bluedot.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ************************************************************* # Windows Bluedot rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP"; program: Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bluedot: reputation, by_src, $BLUEDOT_NETWORK; program: Security*; parse_src_ip: 1; normalize: windows; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002344; sid:5002344; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5]"; program: Security*; content: " 529|3a| "; classtype: unsuccessful-user; bluedot: reputation, by_src, $BLUEDOT_NETWORK; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002345; sid:5002345; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; reference: url,wiki.quadrantsec.com/bin/view/Main/5002346; sid:5002346; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002347; sid:5002347; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002348; sid:5002348; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002349; sid:5002349; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bluedot: reputation, by_src, $BLUEDOT_NETWORK; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize: windows; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002350; sid:5002350; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: Security*; bluedot: reputation, by_src, $BLUEDOT_NETWORK; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002351; sid:5002351; rev:1;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002455; sid: 5002455; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002456; sid: 5002456; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002457; sid: 5002457; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002458; sid: 5002458; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002459; sid: 5002459; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002460; sid: 5002460; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002461; sid: 5002461; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002462; sid: 5002462; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002463; sid: 5002463; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002464; sid: 5002464; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002465; sid: 5002465; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002466; sid: 5002466; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002467; sid: 5002467; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002468; sid: 5002468; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002469; sid: 5002469; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002470; sid: 5002470; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002471; sid: 5002471; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002472; sid: 5002472; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002473; sid: 5002473; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002475; sid: 5002475; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002476; sid: 5002476; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002477; sid: 5002477; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002478; sid: 5002478; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002479; sid: 5002479; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002480; sid: 5002480; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002481; sid: 5002481; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002482; sid: 5002482; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002483; sid: 5002483; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002484; sid: 5002484; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002485; sid: 5002485; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002486; sid: 5002486; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002487; sid: 5002487; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002488; sid: 5002488; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002489; sid: 5002489; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002490; sid: 5002490; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002491; sid: 5002491; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002492; sid: 5002492; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002493; sid: 5002493; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002494; sid: 5002494; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002495; sid: 5002495; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002496; sid: 5002496; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002497; sid: 5002497; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002498; sid: 5002498; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002499; sid: 5002499; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002500; sid: 5002500; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002501; sid: 5002501; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002502; sid: 5002502; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002503; sid: 5002503; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002504; sid: 5002504; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002505; sid: 5002505; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002506; sid: 5002506; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002507; sid: 5002507; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bluedot: reputation, by_src, $BLUEDOT_NETWORK; reference: url,wiki.quadrantsec.com/bin/view/Main/5002508; sid: 5002508; rev:1;) rules/sagan-sid-msg.map0000664000175000017500000224175312612177151014326 0ustar champchamp5000000 || [BASH] ./a.out execution attempt || url,wiki.quadrantsec.com/bin/view/Main/5000000 5000001 || [BASH] gcc execution || url,wiki.quadrantsec.com/bin/view/Main/5000001 5000002 || [BASH] telnet execution || url,wiki.quadrantsec.com/bin/view/Main/5000002 5000003 || [BASH] nmap execution || url,wiki.quadrantsec.com/bin/view/Main/5000003 5000004 || [BASH] /etc/passwd access || url,wiki.quadrantsec.com/bin/view/Main/5000004 5000005 || [BASH] /etc/shadow access || url,wiki.quadrantsec.com/bin/view/Main/5000005 5000006 || [BASH] make execution || url,wiki.quadrantsec.com/bin/view/Main/5000006 5000007 || [BASH] make execution || url,wiki.quadrantsec.com/bin/view/Main/5000007 5000008 || [BASH] /bin/sh command line call || url,wiki.quadrantsec.com/bin/view/Main/5000008 5000009 || [BASH] /bin/bash command line call || url,wiki.quadrantsec.com/bin/view/Main/5000009 5000010 || [BASH] HISTORY=/dev/null || url,wiki.quadrantsec.com/bin/view/Main/5000010 5000011 || [BASH] .bash_history access || url,wiki.quadrantsec.com/bin/view/Main/5000011 5000012 || [BASH] /tmp/sh access || url,wiki.quadrantsec.com/bin/view/Main/5000012 5000013 || [BASH] suidperl access || url,wiki.quadrantsec.com/bin/view/Main/5000013 5000014 || [BASH] histfile=/dev/null || url,wiki.quadrantsec.com/bin/view/Main/5000014 5000015 || [OPENSSH] PAM Authentication failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000015 5000016 || [OPENSSH] Authentication failure - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000016 5000017 || [OPENSSH] Authentication failure for root - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000017 5000018 || [OPENSSH] Possible break-in attempt || url,wiki.quadrantsec.com/bin/view/Main/5000018 5000020 || [OPENSSH] Not executable shell - login attempt || url,wiki.quadrantsec.com/bin/view/Main/5000020 5000021 || [OPENSSH] Message send write error || url,wiki.quadrantsec.com/bin/view/Main/5000021 5000022 || [OPENSSH] Invalid or illegal user [Brute Force] [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5000022 5000023 || [OPENSSH] Out-of-Band challenge failure || url,wiki.quadrantsec.com/bin/view/Main/5000023 5000024 || [SU] SUDO user NOT in sudoers || url,wiki.quadrantsec.com/bin/view/Main/5000024 5000025 || [SU] SUDO authentication failure - Brute force [3/5] || url,wiki.quadrantsec.com/bin/view/Main/5000025 5000027 || [SU] Successful su as root || url,wiki.quadrantsec.com/bin/view/Main/5000027 5000028 || [SU] FAILED su - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000028 5000029 || GRSEC Time set || url,wiki.quadrantsec.com/bin/view/Main/5000029 5000030 || GRSEC Signal 11 sent || url,wiki.quadrantsec.com/bin/view/Main/5000030 5000031 || TCP Treason uncloaked || url,wiki.quadrantsec.com/bin/view/Main/5000031 5000032 || [IPOP3D] Excessive login failures || url,wiki.quadrantsec.com/bin/view/Main/5000032 5000034 || [SENDMAIL] VRFY or EXPN root attempt || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000034 5000035 || [SENDMAIL] EXPN command - rejected || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000035 5000036 || [SENDMAIL] VRFY command - rejected || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000036 5000037 || [SENDMAIL] Relaying denied || url,wiki.quadrantsec.com/bin/view/Main/5000037 5000038 || [MILTER] Milter error state || url,wiki.quadrantsec.com/bin/view/Main/5000038 5000039 || [MILTER] Mimedefang - No response from slave || url,wiki.quadrantsec.com/bin/view/Main/5000039 5000041 || [NTP] Permission denied error || url,wiki.quadrantsec.com/bin/view/Main/5000041 5000042 || GRSEC Denied resource overstep || url,wiki.quadrantsec.com/bin/view/Main/5000042 5000043 || [SQUID] TCP_DENIED || url,wiki.quadrantsec.com/bin/view/Main/5000043 5000044 || [SQUID] TCP_DENIED unsupported-request-method || url,wiki.quadrantsec.com/bin/view/Main/5000044 5000045 || [SQUID] TCP_DENIED invalid-request || url,wiki.quadrantsec.com/bin/view/Main/5000045 5000046 || [SQUID] @CGIDIRScgiwrap attempt || url,wiki.quadrantsec.com/bin/view/Main/5000046 5000047 || [SQUID] Directory traversal attempt || url,wiki.quadrantsec.com/bin/view/Main/5000047 5000048 || [SQUID] XSS attempt || url,wiki.quadrantsec.com/bin/view/Main/5000048 5000049 || [SQUID] 'passwd' access attempt || url,wiki.quadrantsec.com/bin/view/Main/5000049 5000050 || [SQUID] Directory traversal attempt || url,wiki.quadrantsec.com/bin/view/Main/5000050 5000051 || [CISCO-IOS] SNMP Authentication Failure [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000051 5000052 || [CISCO-IOS] Attempted RSHELL connection || url,wiki.quadrantsec.com/bin/view/Main/5000052 5000053 || [CISCO-IOS] Line protocol changed state up/down || url,wiki.quadrantsec.com/bin/view/Main/5000053 5000054 || [CISCO-IOS] Line protocol changed state up/down || url,wiki.quadrantsec.com/bin/view/Main/5000054 5000055 || [CISCO-IOS] Configuration from console || url,wiki.quadrantsec.com/bin/view/Main/5000055 5000056 || [SYSLOG] Kernel TCP/IP redirect attempt || url,wiki.quadrantsec.com/bin/view/Main/5000056 5000057 || [SYSLOG] Kernel TCP/IP redirect attempt || url,wiki.quadrantsec.com/bin/view/Main/5000057 5000058 || [SYSLOG] init respawning to fast || url,wiki.quadrantsec.com/bin/view/Main/5000058 5000059 || [SYSLOG] Martian source packet || url,wiki.quadrantsec.com/bin/view/Main/5000059 5000060 || [ARP] arpalert - Detected new machine on the network || url,wiki.quadrantsec.com/bin/view/Main/5000060 5000061 || [ARP] arpalert - Detected ip change || url,wiki.quadrantsec.com/bin/view/Main/5000061 5000062 || [ARP] arpwatch - Detected new machine on the network 5000063 || [ARP] arpwatch - 'flip flop' message. || url,wiki.quadrantsec.com/bin/view/Main/5000063 5000064 || [ARP] arpwatch - Exiting || url,wiki.quadrantsec.com/bin/view/Main/5000064 5000065 || [ARP] arpwatch - Changed network interface for IP address || url,wiki.quadrantsec.com/bin/view/Main/5000065 5000066 || [ARP] arpwatch - Startup/Exiting message || url,wiki.quadrantsec.com/bin/view/Main/5000066 5000067 || [ARP] arpwatch - Detected bad address len - ignored || url,wiki.quadrantsec.com/bin/view/Main/5000067 5000068 || [OPENSSH] Bad protocol version - possible attack || url,wiki.quadrantsec.com/bin/view/Main/5000068 5000069 || [OPENSSH] Timeout while logging in || url,wiki.quadrantsec.com/bin/view/Main/5000069 5000070 || [OPENSSH] No identification string - possible scan || url,wiki.quadrantsec.com/bin/view/Main/5000070 5000071 || [OPENSSH] OpenSSH challenge-response exploit || url,wiki.quadrantsec.com/bin/view/Main/5000071 5000072 || [OPENSSH] Message without user-IP and context || url,wiki.quadrantsec.com/bin/view/Main/5000072 5000073 || [OPENSSH] Corrupted traffic || url,wiki.quadrantsec.com/bin/view/Main/5000073 5000074 || [OPENSSH] CRC32 compensation attack || url, http://www.securityfocus.com/bid/2347/info/ || url,wiki.quadrantsec.com/bin/view/Main/5000074 5000076 || [OPENSSH] configuration error [moduli] || url,wiki.quadrantsec.com/bin/view/Main/5000076 5000077 || [OPENSSH] Attempt to login using a denied user || url,wiki.quadrantsec.com/bin/view/Main/5000077 5000078 || [PROFTPD] Session opened || url,wiki.quadrantsec.com/bin/view/Main/5000078 5000079 || [PROFTPD] Session closed || url,wiki.quadrantsec.com/bin/view/Main/5000079 5000080 || [PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000080 5000081 || [PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000081 5000082 || [PROFTPD] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000082 5000083 || [PROFTPD] Connection refused by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000083 5000084 || [PROFTPD] Small PassivePorts range in config file || url,wiki.quadrantsec.com/bin/view/Main/5000084 5000085 || [PROFTPD] Attempt to bypass firewall - cannot keep state of FTP traffic || url,wiki.quadrantsec.com/bin/view/Main/5000085 5000086 || [PROFTPD] Maximum login attempts reached [DoS?] || url,wiki.quadrantsec.com/bin/view/Main/5000086 5000087 || [PROFTPD] Host name or host address mismatch || url,wiki.quadrantsec.com/bin/view/Main/5000087 5000088 || [PROFTPD] Reverse lookup failure || url,wiki.quadrantsec.com/bin/view/Main/5000088 5000089 || [PROFTPD] Remote host connected to FTP server || url,wiki.quadrantsec.com/bin/view/Main/5000089 5000090 || [PROFTPD] Remote host disconnected due to inactivity || url,wiki.quadrantsec.com/bin/view/Main/5000090 5000091 || [PROFTPD] Remote host disconnected due to login time out || url,wiki.quadrantsec.com/bin/view/Main/5000091 5000092 || [PROFTPD] Data transfer stall timeout || url,wiki.quadrantsec.com/bin/view/Main/5000092 5000093 || [PROFTPD] terminated [crash] || url,wiki.quadrantsec.com/bin/view/Main/5000093 5000094 || [PROFTPD] Unable to bind to address || url,wiki.quadrantsec.com/bin/view/Main/5000094 5000095 || [ATTACK] Buffer overflow attempt on rpc.statd || url,wiki.quadrantsec.com/bin/view/Main/5000095 5000096 || [ATTACK] Buffer overflow attempt on WU-FTPD version prior to 2.6 || url,wiki.quadrantsec.com/bin/view/Main/5000096 5000097 || [ATTACK] Possible buffer overflow attempt || url,wiki.quadrantsec.com/bin/view/Main/5000097 5000098 || [ATTACK] 'Null' user change some information || url,wiki.quadrantsec.com/bin/view/Main/5000098 5000099 || [ATTACK] Stack overflow attempt with SEGV [Solaris] || url,wiki.quadrantsec.com/bin/view/Main/5000099 5000100 || [ATTACK] Possible buffer overflow attempt [NOOP] || url,wiki.quadrantsec.com/bin/view/Main/5000100 5000101 || [BIND] Invalid DNS packet. Possible attack || url,wiki.quadrantsec.com/bin/view/Main/5000101 5000102 || [BIND] Denied zone transfer attempt || url,wiki.quadrantsec.com/bin/view/Main/5000102 5000103 || [BIND] DNS update denied || url,wiki.quadrantsec.com/bin/view/Main/5000103 5000104 || [BIND] Log permission misconfiguration || url,wiki.quadrantsec.com/bin/view/Main/5000104 5000105 || [BIND] Refused notify from non-master || url,wiki.quadrantsec.com/bin/view/Main/5000105 5000106 || [BIND] DNS update using RFC2136 Dynamic protocol denied || url,wiki.quadrantsec.com/bin/view/Main/5000106 5000107 || [BIND] Query cache denied || url,wiki.quadrantsec.com/bin/view/Main/5000107 5000108 || [BIND] Named fatal error. DNS service is going down || url,wiki.quadrantsec.com/bin/view/Main/5000108 5000109 || [BIND] Serial number from master is lower than stored || url,wiki.quadrantsec.com/bin/view/Main/5000109 5000110 || [BIND] Zone transfer error || url,wiki.quadrantsec.com/bin/view/Main/5000110 5000111 || [CISCO-IOS] IOS configuration changed || url,wiki.quadrantsec.com/bin/view/Main/5000111 5000112 || [CISCO-IOS] Successful login || url,wiki.quadrantsec.com/bin/view/Main/5000112 5000113 || [CISCO-IOS] Failed login - Brute Force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5000113 5000114 || [SYSLOG] Possible unknown problem on a system || url,wiki.quadrantsec.com/bin/view/Main/5000114 5000115 || [SYSLOG] /etc/securetty missing, root access unrestricted || url,wiki.quadrantsec.com/bin/view/Main/5000115 5000116 || [SYSLOG] System out of disk space || url,wiki.quadrantsec.com/bin/view/Main/5000116 5000117 || [SYSLOG] Unable to mount NFS share || url,wiki.quadrantsec.com/bin/view/Main/5000117 5000118 || [SYSLOG] Unable to mount the NFS directory || url,wiki.quadrantsec.com/bin/view/Main/5000118 5000119 || [SYSLOG] Authentication failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5000119 5000120 || [SYSLOG] Illegal root login || url,wiki.quadrantsec.com/bin/view/Main/5000120 5000121 || [SYSLOG] Connection blocked by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000121 5000122 || [SYSLOG] Physical root login || url,wiki.quadrantsec.com/bin/view/Main/5000122 5000123 || [SYSLOG] Oversized packet - ping of death? || url,wiki.quadrantsec.com/bin/view/Main/5000123 5000124 || [SYSLOG] Interface entered promiscuous mode || url,wiki.quadrantsec.com/bin/view/Main/5000124 5000125 || [SYSLOG] System out of memory! || url,wiki.quadrantsec.com/bin/view/Main/5000125 5000126 || [SYSLOG] Kernel log daemon terminating || url,wiki.quadrantsec.com/bin/view/Main/5000126 5000127 || [SYSLOG] ADSL line is up || url,wiki.quadrantsec.com/bin/view/Main/5000127 5000128 || [SYSLOG] ADSL line is down || url,wiki.quadrantsec.com/bin/view/Main/5000128 5000129 || [TRIPWIRE] Integrity Check failed || url,wiki.quadrantsec.com/bin/view/Main/5000129 5000130 || [SYSLOG] New group added to the system || url,wiki.quadrantsec.com/bin/view/Main/5000130 5000131 || [SYSLOG] New user added to the system || url,wiki.quadrantsec.com/bin/view/Main/5000131 5000132 || [SU] Three failed attempts to run sudo || url,wiki.quadrantsec.com/bin/view/Main/5000132 5000133 || [SU] Successful sudo to ROOT executed || url,wiki.quadrantsec.com/bin/view/Main/5000133 5000134 || [PPTP] Failed message [communications error] || url,wiki.quadrantsec.com/bin/view/Main/5000134 5000135 || [PPTP] Connection established || url,wiki.quadrantsec.com/bin/view/Main/5000135 5000136 || [SENDMAIL] Domain of sender does not resolve || url,wiki.quadrantsec.com/bin/view/Main/5000136 5000137 || [SENDMAIL] Rejected by access list || url,wiki.quadrantsec.com/bin/view/Main/5000137 5000138 || [SENDMAIL] Sender address does not have domain || url,wiki.quadrantsec.com/bin/view/Main/5000138 5000139 || [SENDMAIL] Rejecting due to pre-greet || url,wiki.quadrantsec.com/bin/view/Main/5000139 5000140 || [SENDMAIL] Save mail panic || url,wiki.quadrantsec.com/bin/view/Main/5000140 5000141 || [SENDMAIL] Sendmail Spamassassin X-Spam-Score || url,wiki.quadrantsec.com/bin/view/Main/5000141 5000142 || [SENDMAIL] Possible SMTP RCPT flood, throttling || url,wiki.quadrantsec.com/bin/view/Main/5000142 5000143 || [MILTER] SMF-SAV sendmail milter unable to verify || url,wiki.quadrantsec.com/bin/view/Main/5000143 5000144 || [SENDMAIL] Relaying denied [reject=550 5.7.1] || url,wiki.quadrantsec.com/bin/view/Main/5000144 5000145 || [SAMBA] Startup network problem || url,wiki.quadrantsec.com/bin/view/Main/5000145 5000146 || [SAMBA] Connection denied || url,wiki.quadrantsec.com/bin/view/Main/5000146 5000147 || [SAMBA] Connection reset by peer || url,wiki.quadrantsec.com/bin/view/Main/5000147 5000148 || [SAMBA] Unable to connect to CUPS server || url,wiki.quadrantsec.com/bin/view/Main/5000148 5000149 || [MYSQL] Access denied for user || url,wiki.quadrantsec.com/bin/view/Main/5000149 5000150 || [MYSQL] Access denied for user || url,wiki.quadrantsec.com/bin/view/Main/5000150 5000151 || [MYSQL] User disconnected from database || url,wiki.quadrantsec.com/bin/view/Main/5000151 5000152 || [MYSQL] Database startup or restart || quadrantsec,5000152 5000153 || [MYSQL] Database error || url,wiki.quadrantsec.com/bin/view/Main/5000153 5000154 || [MYSQL] Database fatal error || url,wiki.quadrantsec.com/bin/view/Main/5000154 5000155 || [APACHE] Segmentation fault || url,wiki.quadrantsec.com/bin/view/Main/5000155 5000156 || [APACHE] Attempt to access forbidden file or directory [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000156 5000157 || [APACHE] Attempt to access forbidden directory index || url,wiki.quadrantsec.com/bin/view/Main/5000157 5000158 || [APACHE] Client sent malformed Host header || url,wiki.quadrantsec.com/bin/view/Main/5000158 5000159 || [APACHE] User authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000159 5000160 || [APACHE] Attempt to login using a non-existent user || url,wiki.quadrantsec.com/bin/view/Main/5000160 5000161 || [APACHE] Rapid attempt to access a non-existent file or directory || url,wiki.quadrantsec.com/bin/view/Main/5000161 5000162 || [APACHE] Invalid URI in request || url,wiki.quadrantsec.com/bin/view/Main/5000162 5000163 || [APACHE] Invalid URI, file name too long || url,wiki.quadrantsec.com/bin/view/Main/5000163 5000164 || [BIND] Unexpected error [RCODE] while resolving domain || url,wiki.quadrantsec.com/bin/view/Main/5000164 5000165 || [APACHE] Mod_Security Access denied || url,wiki.quadrantsec.com/bin/view/Main/5000165 5000166 || [APACHE] Resource temporarily unavailable || url,wiki.quadrantsec.com/bin/view/Main/5000166 5000168 || [NGINX] Nginx error message || url,wiki.quadrantsec.com/bin/view/Main/5000168 5000169 || [NGINX] Nginx warning message || url,wiki.quadrantsec.com/bin/view/Main/5000169 5000170 || [NGINX] Nginx critical message || url,wiki.quadrantsec.com/bin/view/Main/5000170 5000171 || [NGINX] Nginx 404 error || url,wiki.quadrantsec.com/bin/view/Main/5000171 5000172 || [NGINX] Nginx Incomplete client request || url,wiki.quadrantsec.com/bin/view/Main/5000172 5000173 || [NGINX] Nginx Initial 401 authentication request || url,wiki.quadrantsec.com/bin/view/Main/5000173 5000174 || [NGINX] Nginx Web authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000174 5000175 || [NGINX] Nginx Invalid URI, file name too long || url,wiki.quadrantsec.com/bin/view/Main/5000175 5000176 || [ASTERISK] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000176 5000177 || [ASTERISK] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000177 5000178 || [ASTERISK] Notice message || url,wiki.quadrantsec.com/bin/view/Main/5000178 5000179 || [ASTERISK] Login session failed [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000179 5000180 || [ASTERISK] Login session failed [invalid user] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000180 5000181 || [ASTERISK] Login session failed [invalid extension] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000181 5000182 || [FTPD] FTP Login refused || url,wiki.quadrantsec.com/bin/view/Main/5000182 5000183 || [FTPD] File created || url,wiki.quadrantsec.com/bin/view/Main/5000183 5000184 || [FTPD] File deleted || url,wiki.quadrantsec.com/bin/view/Main/5000184 5000185 || [FTPD] User uploaded a file to server || url,wiki.quadrantsec.com/bin/view/Main/5000185 5000186 || [FTPD] User downloaded a file to server || url,wiki.quadrantsec.com/bin/view/Main/5000186 5000187 || [FTPD] Remote host connected to FTP server || url,wiki.quadrantsec.com/bin/view/Main/5000187 5000188 || [FTPD] Connection blocked by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000188 5000189 || [FTPD] Reverse lookup failure || url,wiki.quadrantsec.com/bin/view/Main/5000189 5000190 || [FTPD] Multiple failed login attempts || url,wiki.quadrantsec.com/bin/view/Main/5000190 5000191 || [FTPD] User disconnected due to time out || url,wiki.quadrantsec.com/bin/view/Main/5000191 5000192 || [FTPD] Attempted access to a disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000192 5000193 || [FTPD] Failed authentication - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000193 5000194 || [VSFTPD] Session opened || url,wiki.quadrantsec.com/bin/view/Main/5000194 5000195 || [VSFTPD] Authentication successful || url,wiki.quadrantsec.com/bin/view/Main/5000195 5000196 || [VSFTPD] Login failed - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000196 5000197 || [VSFTPD] File uploaded || url,wiki.quadrantsec.com/bin/view/Main/5000197 5000198 || [WORDPRESS] - Wordpress authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000198 5000199 || [WORDPRESS] - Wordpress authentication succeeded || url,wiki.quadrantsec.com/bin/view/Main/5000199 5000200 || [WORDPRESS] - Wordpress WPsyslog was successfully initialized || url,wiki.quadrantsec.com/bin/view/Main/5000200 5000201 || [WORDPRESS] - Wordpress WPsyslog Plugin deactivated || url,wiki.quadrantsec.com/bin/view/Main/5000201 5000202 || [WORDPRESS] - Wordpress Wordpress Comment Flood Attempt || url,wiki.quadrantsec.com/bin/view/Main/5000202 5000203 || [WORDPRESS] - Attack against Wordpress detected || url,wiki.quadrantsec.com/bin/view/Main/5000203 5000204 || [VMWARE] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5000204 5000206 || [VMWARE] User authentication failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000206 5000208 || [VMWARE] Virtual machine state change to OFF || url,wiki.quadrantsec.com/bin/view/Main/5000208 5000209 || [VMWARE] Virtual machine state change to ON || url,wiki.quadrantsec.com/bin/view/Main/5000209 5000210 || [VMWARE] Virtual machine being reconfigured || url,wiki.quadrantsec.com/bin/view/Main/5000210 5000211 || [VPOPMAIL] Authentication failure for POP3 service || url,wiki.quadrantsec.com/bin/view/Main/5000211 5000212 || [VPOPMAIL] User not found/Invalid login for POP3 service || url,wiki.quadrantsec.com/bin/view/Main/5000212 5000213 || [VPOPMAIL] Successful POP3 login || url,wiki.quadrantsec.com/bin/view/Main/5000213 5000214 || [VPOPMAIL] Null password given for POP3 service || url,wiki.quadrantsec.com/bin/view/Main/5000214 5000215 || [VMPOP3D] Authentication failure for POP3 || url,wiki.quadrantsec.com/bin/view/Main/5000215 5000216 || [PUREFTPD] New FTP connection || url,wiki.quadrantsec.com/bin/view/Main/5000216 5000217 || [PUREFTPD] Authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000217 5000219 || [PUREFTPD] FTP user logout or timeout || url,wiki.quadrantsec.com/bin/view/Main/5000219 5000220 || [PUREFTPD] FTP notice message || url,wiki.quadrantsec.com/bin/view/Main/5000220 5000221 || [PUREFTPD] Attempting to access invalid directory || url,wiki.quadrantsec.com/bin/view/Main/5000221 5000222 || [PUREFTPD] FTP Authentication successful || url,wiki.quadrantsec.com/bin/view/Main/5000222 5000223 || [SENDMAIL] EXPN command - [not rejected] || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000035 5000224 || [SENDMAIL] VRFY command - [not rejected] || nessus,10249 || cve,1999-0531 || arachnids,31 || url,wiki.quadrantsec.com/bin/view/Main/5000036 5000225 || [POSTFIX] IP Address black-listed by anti-spam [blocked] || url,wiki.quadrantsec.com/bin/view/Main/5000225 5000226 || [POSTFIX] Processing error || url,wiki.quadrantsec.com/bin/view/Main/5000226 5000227 || [POSTFIX] SASL authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000227 5000229 || [POSTGRESQL] Log message || url,wiki.quadrantsec.com/bin/view/Main/5000229 5000230 || [POSTGRESQL] Error message || url,wiki.quadrantsec.com/bin/view/Main/5000230 5000231 || [POSTGRESQL] Fatal error message || url,wiki.quadrantsec.com/bin/view/Main/5000231 5000232 || [POSTGRESQL] Debug message || url,wiki.quadrantsec.com/bin/view/Main/5000232 5000233 || [POSTGRESQL] Database authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000233 5000234 || [POSTGRESQL] Database authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000234 5000235 || [POSTGRESQL] Database shutdown message || url,wiki.quadrantsec.com/bin/view/Main/5000235 5000236 || [PHP] Fatal error || url,wiki.quadrantsec.com/bin/view/Main/5000236 5000237 || [PHP] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000237 5000238 || [PHP] Parse error || url,wiki.quadrantsec.com/bin/view/Main/5000238 5000240 || [PHP] Possible web attack || url,wiki.quadrantsec.com/bin/view/Main/5000240 5000241 || [PHP] Internal error [missing file] || url,wiki.quadrantsec.com/bin/view/Main/5000241 5000242 || [PHP] Internal error [call to undefined function] || url,wiki.quadrantsec.com/bin/view/Main/5000242 5000243 || [TELNET] Connection refused by TCP Wrappers || url,wiki.quadrantsec.com/bin/view/Main/5000243 5000244 || [TELNET] Remote host established a telnet connection || url,wiki.quadrantsec.com/bin/view/Main/5000244 5000245 || [TELNET] Remote host invalid connection || url,wiki.quadrantsec.com/bin/view/Main/5000245 5000246 || [TELNET] Reverse lookup error || url,wiki.quadrantsec.com/bin/view/Main/5000246 5000247 || [XINETD] Telnet connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000247 5000248 || [XINETD] Telnet connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000248 5000249 || [XINETD] POP3 connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000249 5000250 || [XINETD] POP3 connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000250 5000251 || [XINETD] IMAP2 connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000251 5000252 || [XINETD] IMAP2 connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000252 5000253 || [XINETD] POP3S [SSL] connection from remote host || url,wiki.quadrantsec.com/bin/view/Main/5000253 5000254 || [XINETD] POP3S [SSL] connection exit || url,wiki.quadrantsec.com/bin/view/Main/5000254 5000255 || [XINETD] POP3S [SSL] User login || url,wiki.quadrantsec.com/bin/view/Main/5000255 5000256 || [XINETD] Removing service || url,wiki.quadrantsec.com/bin/view/Main/5000256 5000257 || [XINETD] Starting service || url,wiki.quadrantsec.com/bin/view/Main/5000257 5000258 || [COURIER] Connection established || url,wiki.quadrantsec.com/bin/view/Main/5000258 5000259 || [COURIER] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000259 5000260 || [COURIER] Logout/disconnect || url,wiki.quadrantsec.com/bin/view/Main/5000260 5000261 || [COURIER] User login || url,wiki.quadrantsec.com/bin/view/Main/5000261 5000262 || [IMAPD] Successful login || url,wiki.quadrantsec.com/bin/view/Main/5000262 5000263 || [HORDEIMP] Notice message || url,wiki.quadrantsec.com/bin/view/Main/5000263 5000264 || [DOVECOT] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000264 5000265 || [DOVECOT] Failed login || url,wiki.quadrantsec.com/bin/view/Main/5000265 5000266 || [DOVECOT] Starting up || url,wiki.quadrantsec.com/bin/view/Main/5000266 5000267 || [DOVECOT] Fatal error || url,wiki.quadrantsec.com/bin/view/Main/5000267 5000268 || [DOVECOT] Invalid username || url,wiki.quadrantsec.com/bin/view/Main/5000268 5000269 || [RACOON] - Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000269 5000270 || [RACOON] - Error message || url,wiki.quadrantsec.com/bin/view/Main/5000270 5000271 || [RACOON] - Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000271 5000272 || [RACOON] - ISAKMP-SA - VPN established || url,wiki.quadrantsec.com/bin/view/Main/5000272 5000273 || [RACOON] - Roadwarrior configuration error [ignored error] || url,wiki.quadrantsec.com/bin/view/Main/5000273 5000274 || [RACOON] - Roadwarrior configuration error [ignored warning] || url,wiki.quadrantsec.com/bin/view/Main/5000274 5000275 || [RACOON] - Invalid configuration settings [ignored error] || url,wiki.quadrantsec.com/bin/view/Main/5000275 5000276 || [IMAPD] User logout || url,wiki.quadrantsec.com/bin/view/Main/5000276 5000277 || [ROUNDCUBE] - Authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000277 5000278 || [ROUNDCUBE] - Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000278 5000279 || [ZEUS] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000279 5000280 || [ZEUS] Configuration warning [ignored] || url,wiki.quadrantsec.com/bin/view/Main/5000280 5000281 || [ZEUS] Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000281 5000282 || [ZEUS] Warning message || url,wiki.quadrantsec.com/bin/view/Main/5000282 5000283 || [ZEUS] Serious message || url,wiki.quadrantsec.com/bin/view/Main/5000283 5000284 || [ZEUS] Fatal message || url,wiki.quadrantsec.com/bin/view/Main/5000284 5000285 || [OSSEC] Agent started || url,wiki.quadrantsec.com/bin/view/Main/5000285 5000287 || [OSSEC] Ossec started || url,wiki.quadrantsec.com/bin/view/Main/5000287 5000288 || [OSSEC] Agent disconnect || url,wiki.quadrantsec.com/bin/view/Main/5000288 5000289 || [OSSEC] Ignored common NTFS ADS entries || url,wiki.quadrantsec.com/bin/view/Main/5000289 5000290 || [OSSEC] Windows Audit || url,wiki.quadrantsec.com/bin/view/Main/5000290 5000291 || [OSSEC] Windows Malware || url,wiki.quadrantsec.com/bin/view/Main/5000291 5000292 || [OSSEC] Windows application monitor event || url,wiki.quadrantsec.com/bin/view/Main/5000292 5000293 || [OSSEC] Ignoring rootcheck/syscheck scan messages || url,wiki.quadrantsec.com/bin/view/Main/5000293 5000294 || [OSSEC] System Audit || url,wiki.quadrantsec.com/bin/view/Main/5000294 5000295 || [OSSEC] Windows Adware/Spyware application found || url,wiki.quadrantsec.com/bin/view/Main/5000295 5000296 || [OSSEC] Partition usage reached 100% [disk space monitor] || url,wiki.quadrantsec.com/bin/view/Main/5000296 5000297 || [OSSEC] Ignoring external medias || url,wiki.quadrantsec.com/bin/view/Main/5000297 5000298 || [OSSEC] Integrity checksum for agentless device changed || url,wiki.quadrantsec.com/bin/view/Main/5000298 5000299 || [OSSEC] Log file rotated || url,wiki.quadrantsec.com/bin/view/Main/5000299 5000300 || [OSSEC] File size reduced || url,wiki.quadrantsec.com/bin/view/Main/5000300 5000301 || [OSSEC] Microsoft event log cleared || url,wiki.quadrantsec.com/bin/view/Main/5000301 5000306 || [WINDOWS-MISC] Detection of net listening application [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000306 5000307 || [WINDOWS-MISC] Privileged Service Called || url,wiki.quadrantsec.com/bin/view/Main/5000307 5000308 || [WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?] || url,wiki.quadrantsec.com/bin/view/Main/5000308 5000309 || [WINDOWS-MISC] Application error || url,wiki.quadrantsec.com/bin/view/Main/5000309 5000310 || [WINDOWS-MISC] Application hang || url,wiki.quadrantsec.com/bin/view/Main/5000310 5000311 || [WINDOWS-MISC] Application popup || url,wiki.quadrantsec.com/bin/view/Main/5000311 5000312 || [WINDOWS-MISC] Backup Exec - Job completed with exceptions || url,wiki.quadrantsec.com/bin/view/Main/5000312 5000313 || [WINDOWS-MISC] Backup Exec - Job cancellation || url,wiki.quadrantsec.com/bin/view/Main/5000313 5000314 || [WINDOWS-MISC] Backup Exec - Alert - insert media || url,wiki.quadrantsec.com/bin/view/Main/5000314 5000315 || [WINDOWS-MISC] Backup Exec - Service started || url,wiki.quadrantsec.com/bin/view/Main/5000315 5000316 || [WINDOWS-MISC] SCSI bug fault occurred || url,wiki.quadrantsec.com/bin/view/Main/5000316 5000317 || [WINDOWS-MISC] Citrix message || url,wiki.quadrantsec.com/bin/view/Main/5000317 5000318 || [WINDOWS-MISC] Trusted Platform Module [TPM] Error. User name not found || url,wiki.quadrantsec.com/bin/view/Main/5000318 5000319 || [WINDOWS-MISC] Eventlog service was corrupted || url,wiki.quadrantsec.com/bin/view/Main/5000319 5000320 || [WINDOWS-MISC] Eventlog service was stopped || url,wiki.quadrantsec.com/bin/view/Main/5000320 5000322 || [WINDOWS-MISC] Eventlog service returned error || url,wiki.quadrantsec.com/bin/view/Main/5000322 5000323 || [WINDOWS-MISC] Eventlog service reporting uptime [in seconds] || url,wiki.quadrantsec.com/bin/view/Main/5000323 5000324 || [WINDOWS-MISC] IPSec message || url,wiki.quadrantsec.com/bin/view/Main/5000324 5000325 || [WINDOWS-MISC] MS-SQL - Server started || url,wiki.quadrantsec.com/bin/view/Main/5000325 5000326 || [WINDOWS-MISC] MS-SQL - Server listening on network || url,wiki.quadrantsec.com/bin/view/Main/5000326 5000327 || [WINDOWS-MISC] MsiInstaller - Client successfully installed software || url,wiki.quadrantsec.com/bin/view/Main/5000327 5000328 || [WINDOWS-MISC] MsiInstaller - Google Toolbar installed || url,wiki.quadrantsec.com/bin/view/Main/5000328 5000329 || [WINDOWS-MISC] MsiInstaller - Google Toolbar updated || url,wiki.quadrantsec.com/bin/view/Main/5000329 5000330 || [WINDOWS-MISC] MsiInstaller - RegWork - Registry clearner || url,wiki.quadrantsec.com/bin/view/Main/5000330 5000331 || [WINDOWS-MISC] MsiInstaller - Google Toolbar updated || url,wiki.quadrantsec.com/bin/view/Main/5000331 5000332 || [WINDOWS-MISC] MsiInstaller - Client successfully updated software || url,wiki.quadrantsec.com/bin/view/Main/5000332 5000334 || [WINDOWS-MISC] NtServicePack messsage - package or hotfix installed || url,wiki.quadrantsec.com/bin/view/Main/5000334 5000335 || [WINDOWS-MISC] SNMP Service has started successfully || url,wiki.quadrantsec.com/bin/view/Main/5000335 5000336 || [WINDOWS-MISC] Google Software Updater service is active || url,wiki.quadrantsec.com/bin/view/Main/5000336 5000337 || [WINDOWS-MISC] Google update service is active || url,wiki.quadrantsec.com/bin/view/Main/5000337 5000338 || [WINDOWS-MISC] Google update service is active || url,wiki.quadrantsec.com/bin/view/Main/5000338 5000339 || [WINDOWS-MISC] Tenable Nessus service is active [pen-test tool] || url,wiki.quadrantsec.com/bin/view/Main/5000339 5000340 || [WINDOWS-MISC] Remote Access Connection Manager service is active || url,wiki.quadrantsec.com/bin/view/Main/5000340 5000341 || [WINDOWS-MISC] Symantec AntiVirus startup successful || url,wiki.quadrantsec.com/bin/view/Main/5000341 5000342 || [WINDOWS-MISC] Symantec AntiVirus couldn't scan some files or directories || url,wiki.quadrantsec.com/bin/view/Main/5000342 5000343 || [WINDOWS-MISC] Symantec AntiVirus New virus definition file loaded || url,wiki.quadrantsec.com/bin/view/Main/5000343 5000344 || [WINDOWS-MISC] Symantec AntiVirus Successful remote connect by administrator || url,wiki.quadrantsec.com/bin/view/Main/5000344 5000345 || [WINDOWS-MISC] Tenable Nessus started [pen-test tool] || url,wiki.quadrantsec.com/bin/view/Main/5000345 5000346 || [WINDOWS-MISC] WinRM [Windows Remote Management] is started and listening || url,wiki.quadrantsec.com/bin/view/Main/5000346 5000347 || [WINDOWS-MISC] WinVNC4 Connection accepted || url,wiki.quadrantsec.com/bin/view/Main/5000347 5000348 || [WINDOWS-MISC] WinVNC4 Connection closed - Requested security type not available || url,wiki.quadrantsec.com/bin/view/Main/5000348 5000349 || [WINDOWS-MISC] WinVNC4 Connection blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5000349 5000350 || [WINDOWS-MISC] WinVNC4 Connection Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000350 5000351 || [WINDOWS-MISC] WinVNC4 Connection close - reset by peer || url,wiki.quadrantsec.com/bin/view/Main/5000351 5000352 || [WINDOWS-MISC] WinVNC4 Connection close - reset by peer [Non-shared] || url,wiki.quadrantsec.com/bin/view/Main/5000352 5000353 || [WINDOWS-MISC] WinVNC4 Connection close - reading version failed || url,wiki.quadrantsec.com/bin/view/Main/5000353 5000354 || [WINDOWS-MISC] WinVNC4 Connection closed || url,wiki.quadrantsec.com/bin/view/Main/5000354 5000355 || [WINDOWS-MISC] WinVNC4 HTTPServer event || url,wiki.quadrantsec.com/bin/view/Main/5000355 5000356 || [WINDOWS-MISC] Crypt32 Failed to extract third-party root list || url,wiki.quadrantsec.com/bin/view/Main/5000356 5000357 || [SENDMAIL] Username with pipe symbol || url,wiki.quadrantsec.com/bin/view/Main/5000357 5000359 || [APACHE] Directory traversal attempt - 1 || url,wiki.quadrantsec.com/bin/view/Main/5000359 5000360 || [APACHE] Directory traversal attempt - 2 || url,wiki.quadrantsec.com/bin/view/Main/5000360 5000361 || [APACHE] Robots.txt access || url,wiki.quadrantsec.com/bin/view/Main/5000361 5000362 || [APACHE] PHPinfo access attempt [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000362 5000364 || [APACHE] Php-my-admin access attempt [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000364 5000365 || [ATTACK] Possible buffer overflow attempt [yppasswd?] || url,wiki.quadrantsec.com/bin/view/Main/5000356 5000366 || [ATTACK] Heap overflow in the Solaris cachefsd service || url,wiki.quadrantsec.com/bin/view/Main/5000366 5000367 || [IMAPD] User login failed || url,wiki.quadrantsec.com/bin/view/Main/5000367 5000368 || [HORDEIMP] Failed login || url,wiki.quadrantsec.com/bin/view/Main/5000368 5000369 || [HORDEIMP] Emergency message || url,wiki.quadrantsec.com/bin/view/Main/5000369 5000370 || [HORDEIMP] IMP successful login || url,wiki.quadrantsec.com/bin/view/Main/5000370 5000371 || [HORDEIMP] Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000371 5000372 || [HORDEIMP] Error message || url,wiki.quadrantsec.com/bin/view/Main/5000372 5000373 || [POSTGRESQL] Informational message || url,wiki.quadrantsec.com/bin/view/Main/5000373 5000374 || [PROFTPD] Remote host disconnected due to time out || url,wiki.quadrantsec.com/bin/view/Main/5000374 5000375 || [SAMBA] User action denied by configuration || url,wiki.quadrantsec.com/bin/view/Main/5000375 5000376 || [SYSLOG] User or group was deleted from the system || url,wiki.quadrantsec.com/bin/view/Main/5000376 5000377 || [SYSLOG] Information for a user was changed || url,wiki.quadrantsec.com/bin/view/Main/5000377 5000378 || [APACHE] Attempt to access a non-existent file or stream || url,wiki.quadrantsec.com/bin/view/Main/5000378 5000379 || [XINETD] Excessive number connections to a service || url,wiki.quadrantsec.com/bin/view/Main/5000379 5000380 || [VMWARE] Virtual machine being turned ON || url,wiki.quadrantsec.com/bin/view/Main/5000380 5000381 || [WINDOWS-MISC] LSASRV - Could not establish a secure connection || url,wiki.quadrantsec.com/bin/view/Main/5000381 5000382 || [WINDOWS-MISC] Bonjour service is active [iTunes installed?] || url,wiki.quadrantsec.com/bin/view/Main/5000382 5000383 || [KNOCKD] Open Sesame || url,wiki.quadrantsec.com/bin/view/Main/5000383 5000384 || [KNOCKD] Sequence timeout || url,wiki.quadrantsec.com/bin/view/Main/5000384 5000385 || [BASH] iptables command access || url,wiki.quadrantsec.com/bin/view/Main/5000385 5000386 || [SNORT] Snort syslog message || url,wiki.quadrantsec.com/bin/view/Main/5000386 5000387 || [SQUID] MSG Messenger access || url,wiki.quadrantsec.com/bin/view/Main/5000387 5000388 || [CISCO-IOS] Fan failure - Fan not rotating [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5000388 5000392 || [TELNET] Attempt to login with an option || url,wiki.quadrantsec.com/bin/view/Main/5000392 5000393 || [SYSLOG] kcfd - Unable to open certificate file || url,wiki.quadrantsec.com/bin/view/Main/5000393 5000395 || [SYSLOG] automount - Couldn't stat filesystem || url,wiki.quadrantsec.com/bin/view/Main/5000395 5000396 || [NETSCREEN] Fragmented traffic || url,wiki.quadrantsec.com/bin/view/Main/5000396 5000397 || [NETSCREEN] FIN but no ACK bit || url,wiki.quadrantsec.com/bin/view/Main/5000397 5000398 || [NETSCREEN] Port scan! || url,wiki.quadrantsec.com/bin/view/Main/5000398 5000399 || [NETSCREEN] ICMP fragment || url,wiki.quadrantsec.com/bin/view/Main/5000399 5000400 || [NETSCREEN] Malicious URL || url,wiki.quadrantsec.com/bin/view/Main/5000400 5000401 || [NETSCREEN] Large ICMP packet || url,wiki.quadrantsec.com/bin/view/Main/5000401 5000402 || [NETSCREEN] No tcp flag has been detected || url,wiki.quadrantsec.com/bin/view/Main/5000402 5000403 || [NETSCREEN] Denied traffic || url,wiki.quadrantsec.com/bin/view/Main/5000403 5000404 || [NETSCREEN] Syslog enabled || url,wiki.quadrantsec.com/bin/view/Main/5000404 5000405 || [SYSLOG] rmclomv - Power Supply FAULT! || url,wiki.quadrantsec.com/bin/view/Main/5000405 5000409 || [SU] su as 'root' suceeded || url,wiki.quadrantsec.com/bin/view/Main/5000409 5000410 || [SYSLOG] Nagios npre - Host not allowed || url,wiki.quadrantsec.com/bin/view/Main/5000410 5000411 || [OPENSSH] User logged into a disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000411 5000412 || [FTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000412 5000413 || [PROFTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000413 5000414 || [PUREFTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000414 5000415 || [FTPD] User logged into an disabled account || url,wiki.quadrantsec.com/bin/view/Main/5000415 5000416 || [CISCO-PIXASA] Failed to initialize 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000416 5000417 || [CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000417 5000418 || [CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000418 5000419 || [CISCO-PIXASA] Internal error in function || url, wiki.quadrantsec.com/bin/view/Main/5000419 5000420 || [CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED || url, wiki.quadrantsec.com/bin/view/Main/5000420 5000421 || [CISCO-PIXASA] Internal error in - function message || url, wiki.quadrantsec.com/bin/view/Main/5000421 5000422 || [CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance || url, wiki.quadrantsec.com/bin/view/Main/5000422 5000423 || [CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance || url, wiki.quadrantsec.com/bin/view/Main/5000423 5000424 || [CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena || url, wiki.quadrantsec.com/bin/view/Main/5000424 5000425 || [CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool || url, wiki.quadrantsec.com/bin/view/Main/5000425 5000426 || [CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool || url, wiki.quadrantsec.com/bin/view/Main/5000426 5000427 || [CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state || url, wiki.quadrantsec.com/bin/view/Main/5000427 5000428 || [CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000428 5000429 || [CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating || url, wiki.quadrantsec.com/bin/view/Main/5000429 5000430 || [CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000430 5000431 || [CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000431 5000432 || [CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else || url, wiki.quadrantsec.com/bin/view/Main/5000432 5000433 || [CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel || url, wiki.quadrantsec.com/bin/view/Main/5000433 5000434 || [CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance || url, wiki.quadrantsec.com/bin/view/Main/5000434 5000435 || [CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000435 5000436 || [CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena || url, wiki.quadrantsec.com/bin/view/Main/5000436 5000437 || [CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena || url, wiki.quadrantsec.com/bin/view/Main/5000437 5000438 || [CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating || url, wiki.quadrantsec.com/bin/view/Main/5000438 5000439 || [CISCO-PIXASA] Internal error in function OCCAM pool has no block list || url, wiki.quadrantsec.com/bin/view/Main/5000439 5000440 || [CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool || url, wiki.quadrantsec.com/bin/view/Main/5000440 5000441 || [CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block || url, wiki.quadrantsec.com/bin/view/Main/5000441 5000442 || [CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL || url, wiki.quadrantsec.com/bin/view/Main/5000442 5000443 || [CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL || url, wiki.quadrantsec.com/bin/view/Main/5000443 5000444 || [CISCO-PIXASA] Unexpected fiber scheduler error - possible out-of-memory condition || url, wiki.quadrantsec.com/bin/view/Main/5000444 5000445 || [CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000445 5000446 || [CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000446 5000447 || [CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000447 5000448 || [CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000448 5000449 || [CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000449 5000450 || [CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000450 5000451 || [CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000451 5000452 || [CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000452 5000453 || [CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000453 5000454 || [CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000454 5000455 || [CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000455 5000456 || [CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000456 5000457 || [CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000457 5000458 || [CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card || url, wiki.quadrantsec.com/bin/view/Main/5000458 5000459 || [CISCO-PIXASA] Internal error in function message || url, wiki.quadrantsec.com/bin/view/Main/5000459 5000460 || [CISCO-PIXASA] I2C_API_name error || url, wiki.quadrantsec.com/bin/view/Main/5000460 5000461 || [CISCO-PIXASA] VPN Handle error protocol || url, wiki.quadrantsec.com/bin/view/Main/5000461 5000462 || [CISCO-PIXASA] Module in slot experienced a control channel communications failure || url, wiki.quadrantsec.com/bin/view/Main/5000462 5000463 || [CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use || url, wiki.quadrantsec.com/bin/view/Main/5000463 5000464 || [CISCO-PIXASA] Module in slot can not be powered on completely || url, wiki.quadrantsec.com/bin/view/Main/5000464 5000465 || [CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN || url, wiki.quadrantsec.com/bin/view/Main/5000465 5000466 || [CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1] || url, wiki.quadrantsec.com/bin/view/Main/5000466 5000467 || [CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2] || url, wiki.quadrantsec.com/bin/view/Main/5000467 5000468 || [CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed || url, wiki.quadrantsec.com/bin/view/Main/5000468 5000469 || [CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed || url, wiki.quadrantsec.com/bin/view/Main/5000469 5000470 || [CISCO-PIXASA] Authentication to SSO server failed || url, wiki.quadrantsec.com/bin/view/Main/5000470 5000471 || [CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error || url, wiki.quadrantsec.com/bin/view/Main/5000471 5000472 || [CISCO-PIXASA] SVC Message ERROR message [1] || url, wiki.quadrantsec.com/bin/view/Main/5000472 5000473 || [CISCO-PIXASA] SVC Message ERROR message [2] || url, wiki.quadrantsec.com/bin/view/Main/5000473 5000474 || [CISCO-PIXASA] SVC Message ERROR message [3] || url, wiki.quadrantsec.com/bin/view/Main/5000474 5000475 || [CISCO-PIXASA] Module in slot is not able to shut down. Module Error || url, wiki.quadrantsec.com/bin/view/Main/5000475 5000476 || [CISCO-PIXASA] Module in slot is not able to reload. Module Error || url, wiki.quadrantsec.com/bin/view/Main/5000476 5000477 || [CISCO-PIXASA] Module in slot failed to write software. Trying again || url, wiki.quadrantsec.com/bin/view/Main/5000477 5000478 || [CISCO-PIXASA] IPS requested to drop ICMP packets || url, wiki.quadrantsec.com/bin/view/Main/5000478 5000479 || [CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt || url, wiki.quadrantsec.com/bin/view/Main/5000479 5000480 || [CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt || url, wiki.quadrantsec.com/bin/view/Main/5000480 5000481 || [CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt || url, wiki.quadrantsec.com/bin/view/Main/5000481 5000482 || [CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt || url, wiki.quadrantsec.com/bin/view/Main/5000482 5000483 || [CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt || url, wiki.quadrantsec.com/bin/view/Main/5000483 5000484 || [CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state || url, wiki.quadrantsec.com/bin/view/Main/5000484 5000485 || [CISCO-PIXASA] Connection to the backup interface is denied || url, wiki.quadrantsec.com/bin/view/Main/5000485 5000486 || [CISCO-PIXASA] Deny traffic, licensed host limit exceeded. || url, wiki.quadrantsec.com/bin/view/Main/5000486 5000487 || [CISCO-PIXASA] Received DH key with bad length || url, wiki.quadrantsec.com/bin/view/Main/5000487 5000488 || [CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI || url, wiki.quadrantsec.com/bin/view/Main/5000488 5000489 || [CISCO-PIXASA] META-DATA Received authentication failure message || url, wiki.quadrantsec.com/bin/view/Main/5000489 5000490 || [CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager || url, wiki.quadrantsec.com/bin/view/Main/5000490 5000491 || [CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager || url, wiki.quadrantsec.com/bin/view/Main/5000491 5000492 || [CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework || url, wiki.quadrantsec.com/bin/view/Main/5000492 5000493 || [CISCO-PIXASA] [VPN-unit] Failed to create version control block || url, wiki.quadrantsec.com/bin/view/Main/5000493 5000494 || [CISCO-PIXASA] [VPN-unit] Failed to allocate memory || url, wiki.quadrantsec.com/bin/view/Main/5000494 5000495 || [CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point || url, wiki.quadrantsec.com/bin/view/Main/5000495 5000496 || [CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue || url, wiki.quadrantsec.com/bin/view/Main/5000496 5000497 || [CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000497 5000498 || [CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit || url, wiki.quadrantsec.com/bin/view/Main/5000498 5000499 || [CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000499 5000500 || [CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000500 5000501 || [CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000501 5000502 || [CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync || url, wiki.quadrantsec.com/bin/view/Main/5000502 5000503 || [CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record || url, wiki.quadrantsec.com/bin/view/Main/5000503 5000504 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode || url, wiki.quadrantsec.com/bin/view/Main/5000504 5000505 || [CISCO-PIXASA] [VPN-unit] Failed to update cTCP database || url, wiki.quadrantsec.com/bin/view/Main/5000505 5000506 || [CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule || url, wiki.quadrantsec.com/bin/view/Main/5000506 5000507 || [CISCO-PIXASA] [VPN-unit] Failed to activate IKE database || url, wiki.quadrantsec.com/bin/view/Main/5000507 5000508 || [CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database || url, wiki.quadrantsec.com/bin/view/Main/5000508 5000509 || [CISCO-PIXASA] [VPN-unit] Failed to parse peer message || url, wiki.quadrantsec.com/bin/view/Main/5000509 5000510 || [CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database || url, wiki.quadrantsec.com/bin/view/Main/5000510 5000511 || [CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database || url, wiki.quadrantsec.com/bin/view/Main/5000511 5000512 || [CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000512 5000513 || [CISCO-PIXASA] Error parsing SVC connect request || url, wiki.quadrantsec.com/bin/view/Main/5000513 5000514 || [CISCO-PIXASA] Error consolidating SVC connect request. || url, wiki.quadrantsec.com/bin/view/Main/5000514 5000515 || [CISCO-PIXASA] Error authenticating SVC connect request || url, wiki.quadrantsec.com/bin/view/Main/5000515 5000516 || [CISCO-PIXASA] Error responding to SVC connect request || url, wiki.quadrantsec.com/bin/view/Main/5000516 5000517 || [CISCO-PIXASA] Bad SVC frame length length expected || url, wiki.quadrantsec.com/bin/view/Main/5000517 5000518 || [CISCO-PIXASA] Bad SVC framing 525446, reserved 0 || url, wiki.quadrantsec.com/bin/view/Main/5000518 5000519 || [CISCO-PIXASA] Bad SVC protocol version || url, wiki.quadrantsec.com/bin/view/Main/5000519 5000520 || [CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed || url, wiki.quadrantsec.com/bin/view/Main/5000520 5000521 || [CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication || url, wiki.quadrantsec.com/bin/view/Main/5000521 5000522 || [CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client || url, wiki.quadrantsec.com/bin/view/Main/5000522 5000523 || [CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client || url, wiki.quadrantsec.com/bin/view/Main/5000523 5000525 || [CISCO-PIXASA] [VPN-unit] Failed to initialize default timer || url, wiki.quadrantsec.com/bin/view/Main/5000525 5000526 || [CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data || url, wiki.quadrantsec.com/bin/view/Main/5000526 5000527 || [CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem || url, wiki.quadrantsec.com/bin/view/Main/5000527 5000528 || [CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics || url, wiki.quadrantsec.com/bin/view/Main/5000528 5000529 || [CISCO-PIXASA] [VPN-unit] Failed to send type timer message || url, wiki.quadrantsec.com/bin/view/Main/5000529 5000530 || [CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code. || url, wiki.quadrantsec.com/bin/view/Main/5000530 5000531 || [CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle || url, wiki.quadrantsec.com/bin/view/Main/5000531 5000532 || [CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer || url, wiki.quadrantsec.com/bin/view/Main/5000532 5000533 || [CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data || url, wiki.quadrantsec.com/bin/view/Main/5000533 5000534 || [CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available || url, wiki.quadrantsec.com/bin/view/Main/5000534 5000535 || [CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address || url, wiki.quadrantsec.com/bin/view/Main/5000535 5000536 || [CISCO-PIXASA] WebVPN access DENIED to specified location url || url, wiki.quadrantsec.com/bin/view/Main/5000536 5000537 || [CISCO-PIXASA] WebVPN ACL Parse Error || url, wiki.quadrantsec.com/bin/view/Main/5000537 5000538 || [CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error || url, wiki.quadrantsec.com/bin/view/Main/5000538 5000539 || [CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login || url, wiki.quadrantsec.com/bin/view/Main/5000539 5000540 || [CISCO-PIXASA] Error adding to ACL || url, wiki.quadrantsec.com/bin/view/Main/5000540 5000541 || [CISCO-PIXASA] Error adding dynamic ACL for user || url, wiki.quadrantsec.com/bin/view/Main/5000541 5000542 || [CISCO-PIXASA] Email Proxy feature is disabled on interface || url, wiki.quadrantsec.com/bin/view/Main/5000542 5000543 || [CISCO-PIXASA] WebVPN authorization failed || url, wiki.quadrantsec.com/bin/view/Main/5000543 5000544 || [CISCO-PIXASA] WebVPN authorization completed successfully || url, wiki.quadrantsec.com/bin/view/Main/5000544 5000545 || [CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied || url, wiki.quadrantsec.com/bin/view/Main/5000545 5000546 || [CISCO-PIXASA] Email Proxy piggyback auth fail session || url, wiki.quadrantsec.com/bin/view/Main/5000546 5000547 || [CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname || url, wiki.quadrantsec.com/bin/view/Main/5000547 5000548 || [CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem || url, wiki.quadrantsec.com/bin/view/Main/5000548 5000549 || [CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully || url, wiki.quadrantsec.com/bin/view/Main/5000549 5000550 || [CISCO-PIXASA] [VPN-unit] VPN failover main thread started || url, wiki.quadrantsec.com/bin/view/Main/5000550 5000551 || [CISCO-PIXASA] [VPN-unit] VPN failover timer thread started || url, wiki.quadrantsec.com/bin/view/Main/5000551 5000552 || [CISCO-PIXASA] [VPN-unit] VPN failover sync thread started || url, wiki.quadrantsec.com/bin/view/Main/5000552 5000553 || [CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled || url, wiki.quadrantsec.com/bin/view/Main/5000553 5000554 || [CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit || url, wiki.quadrantsec.com/bin/view/Main/5000554 5000555 || [CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state || url, wiki.quadrantsec.com/bin/view/Main/5000555 5000556 || [CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state || url, wiki.quadrantsec.com/bin/view/Main/5000556 5000557 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled || url, wiki.quadrantsec.com/bin/view/Main/5000557 5000559 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled || url, wiki.quadrantsec.com/bin/view/Main/5000559 5000561 || [CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled. || url, wiki.quadrantsec.com/bin/view/Main/5000561 5000563 || [CISCO-PIXASA] SVC Global Compression Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000563 5000564 || [CISCO-PIXASA] Device failed SSL handshake || url, wiki.quadrantsec.com/bin/view/Main/5000564 5000565 || [CISCO-PIXASA] Failed to inject {TCP|UDP} packet || url, wiki.quadrantsec.com/bin/view/Main/5000565 5000566 || [CISCO-PIXASA] File access DENIED, filename || url, wiki.quadrantsec.com/bin/view/Main/5000566 5000567 || [CISCO-PIXASA] Unable to browse the network || url, wiki.quadrantsec.com/bin/view/Main/5000567 5000568 || [CISCO-PIXASA] Unable to browse domain domain || url, wiki.quadrantsec.com/bin/view/Main/5000568 5000569 || [CISCO-PIXASA] Unable to browse directory || url, wiki.quadrantsec.com/bin/view/Main/5000569 5000570 || [CISCO-PIXASA] Unable to view file || url, wiki.quadrantsec.com/bin/view/Main/5000570 5000571 || [CISCO-PIXASA] Unable to remove file || url, wiki.quadrantsec.com/bin/view/Main/5000571 5000572 || [CISCO-PIXASA] Unable to rename file || url, wiki.quadrantsec.com/bin/view/Main/5000572 5000573 || [CISCO-PIXASA] Unable to modify file || url, wiki.quadrantsec.com/bin/view/Main/5000573 5000574 || [CISCO-PIXASA] Unable to create file || url, wiki.quadrantsec.com/bin/view/Main/5000574 5000575 || [CISCO-PIXASA] Unable to create folder || url, wiki.quadrantsec.com/bin/view/Main/5000575 5000576 || [CISCO-PIXASA] Unable to remove folder || url, wiki.quadrantsec.com/bin/view/Main/5000576 5000577 || [CISCO-PIXASA] File Access User failed to login into the server || url, wiki.quadrantsec.com/bin/view/Main/5000577 5000579 || [CISCO-PIXASA] SVC Session Termination || url, wiki.quadrantsec.com/bin/view/Main/5000579 5000580 || [CISCO-PIXASA] SVC Session Termination Out || url, wiki.quadrantsec.com/bin/view/Main/5000580 5000581 || [CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow || url, wiki.quadrantsec.com/bin/view/Main/5000581 5000582 || [CISCO-PIXASA] WebVPN Citrix SOCKS errors || url, wiki.quadrantsec.com/bin/view/Main/5000582 5000583 || [CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length || url, wiki.quadrantsec.com/bin/view/Main/5000583 5000584 || [CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format || url, wiki.quadrantsec.com/bin/view/Main/5000584 5000585 || [CISCO-PIXASA] SSL lib error || url, wiki.quadrantsec.com/bin/view/Main/5000585 5000586 || [CISCO-PIXASA] Dynamic DNS Update failed || url, wiki.quadrantsec.com/bin/view/Main/5000586 5000587 || [CISCO-PIXASA] Switching to ACTIVE || url, wiki.quadrantsec.com/bin/view/Main/5000587 5000588 || [CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]. || url, wiki.quadrantsec.com/bin/view/Main/5000588 5000589 || [CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED || url, wiki.quadrantsec.com/bin/view/Main/5000589 5000590 || [CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK. || url, wiki.quadrantsec.com/bin/view/Main/5000590 5000591 || [CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit || url, wiki.quadrantsec.com/bin/view/Main/5000591 5000592 || [CISCO-PIXASA] Failed Identification Test || url, wiki.quadrantsec.com/bin/view/Main/5000592 5000595 || [CISCO-PIXASA] [Primary] Failover cable OK || url, wiki.quadrantsec.com/bin/view/Main/5000595 5000596 || [CISCO-PIXASA] [Primary] Bad failover cable || url, wiki.quadrantsec.com/bin/view/Main/5000596 5000597 || [CISCO-PIXASA] [Primary] Failover cable not connected [this unit] || url, wiki.quadrantsec.com/bin/view/Main/5000597 5000598 || [CISCO-PIXASA] [Primary] Failover cable not connected [other unit] || url, wiki.quadrantsec.com/bin/view/Main/5000598 5000599 || [CISCO-PIXASA] [Primary] Error reading failover cable status || url, wiki.quadrantsec.com/bin/view/Main/5000599 5000600 || [CISCO-PIXASA] [Primary] Power failure/System reload other side || url, wiki.quadrantsec.com/bin/view/Main/5000600 5000601 || [CISCO-PIXASA] [Primary] No response from other firewall || url, wiki.quadrantsec.com/bin/view/Main/5000601 5000602 || [CISCO-PIXASA] [Primary] Other firewall network interface OK || url, wiki.quadrantsec.com/bin/view/Main/5000602 5000603 || [CISCO-PIXASA] [Primary] Other firewall network interface failed || url, wiki.quadrantsec.com/bin/view/Main/5000603 5000604 || [CISCO-PIXASA] [Primary] Other firewall reports this firewall failed || url, wiki.quadrantsec.com/bin/view/Main/5000604 5000605 || [CISCO-PIXASA] [Primary] Other firewall reporting failure || url, wiki.quadrantsec.com/bin/view/Main/5000605 5000606 || [CISCO-PIXASA] [Primary] Switching to ACTIVE || url, wiki.quadrantsec.com/bin/view/Main/5000606 5000607 || [CISCO-PIXASA] [Primary] Switching to STNDBY || url, wiki.quadrantsec.com/bin/view/Main/5000607 5000608 || [CISCO-PIXASA] [Primary] Switching to FAILED || url, wiki.quadrantsec.com/bin/view/Main/5000608 5000609 || [CISCO-PIXASA] [Primary] Switching to OK || url, wiki.quadrantsec.com/bin/view/Main/5000609 5000610 || [CISCO-PIXASA] [Primary] Disabling failover || url, wiki.quadrantsec.com/bin/view/Main/5000610 5000611 || [CISCO-PIXASA] [Primary] Enabling failover || url, wiki.quadrantsec.com/bin/view/Main/5000611 5000612 || [CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface || url, wiki.quadrantsec.com/bin/view/Main/5000612 5000614 || [CISCO-PIXASA] [Primary] Failover cable communication failure || url, wiki.quadrantsec.com/bin/view/Main/5000614 5000615 || [CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config || url, wiki.quadrantsec.com/bin/view/Main/5000615 5000616 || [CISCO-PIXASA] Failover LAN interface is up || url, wiki.quadrantsec.com/bin/view/Main/5000616 5000617 || [CISCO-PIXASA] LAN Failover interface is down || url, wiki.quadrantsec.com/bin/view/Main/5000617 5000618 || [CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer || url, wiki.quadrantsec.com/bin/view/Main/5000618 5000619 || [CISCO-PIXASA] Receive a LAN failover interface down msg from peer || url, wiki.quadrantsec.com/bin/view/Main/5000619 5000620 || [CISCO-PIXASA] dropped a LAN Failover command message || url, wiki.quadrantsec.com/bin/view/Main/5000620 5000621 || [CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate || url, wiki.quadrantsec.com/bin/view/Main/5000621 5000622 || [CISCO-PIXASA] [Primary] Mate failover version is not compatible || url, wiki.quadrantsec.com/bin/view/Main/5000622 5000623 || [CISCO-PIXASA] [Primary] Failover interface OK || url, wiki.quadrantsec.com/bin/view/Main/5000623 5000624 || [CISCO-PIXASA] [Primary] Failover interface failed || url, wiki.quadrantsec.com/bin/view/Main/5000624 5000625 || [CISCO-PIXASA] Deny protocol reverse path check || url, wiki.quadrantsec.com/bin/view/Main/5000625 5000626 || [CISCO-PIXASA] Deny protocol connection spoof || url, wiki.quadrantsec.com/bin/view/Main/5000626 5000627 || [CISCO-PIXASA] The number of ACL log deny-flows has reached limit || url, wiki.quadrantsec.com/bin/view/Main/5000627 5000628 || [CISCO-PIXASA] RIP auth failed || url, wiki.quadrantsec.com/bin/view/Main/5000628 5000629 || [CISCO-PIXASA] RIP pkt failed || url, wiki.quadrantsec.com/bin/view/Main/5000629 5000631 || [CISCO-PIXASA] Inbound TCP connection denied || url, wiki.quadrantsec.com/bin/view/Main/5000631 5000632 || [CISCO-PIXASA] Connection denied by outbound ACL || url, wiki.quadrantsec.com/bin/view/Main/5000632 5000633 || [CISCO-PIXASA] Deny inbound UDP || url, wiki.quadrantsec.com/bin/view/Main/5000633 5000634 || [CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query} || url, wiki.quadrantsec.com/bin/view/Main/5000634 5000635 || [CISCO-PIXASA] Dropping echo request || url, wiki.quadrantsec.com/bin/view/Main/5000635 5000636 || [CISCO-PIXASA] Deny IP spoof [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000636 5000637 || [CISCO-PIXASA] Deny IP due to Land Attack [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000637 5000638 || [CISCO-PIXASA] ICMP denied by outbound ACL || url, wiki.quadrantsec.com/bin/view/Main/5000638 5000639 || [CISCO-PIXASA] Deny IP teardrop fragment [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000639 5000640 || [CISCO-PIXASA] Bad route_compress || url, wiki.quadrantsec.com/bin/view/Main/5000640 5000641 || [CISCO-PIXASA] Failed Identification Test in slot || url, wiki.quadrantsec.com/bin/view/Main/5000641 5000642 || [CISCO-PIXASA] Dropped DNS responses with mis-matched id || url, wiki.quadrantsec.com/bin/view/Main/5000642 5000643 || [CISCO-PIXASA] Configuration replication failed for command || url, wiki.quadrantsec.com/bin/view/Main/5000643 5000644 || [CISCO-PIXASA] Unexpected event || url, wiki.quadrantsec.com/bin/view/Main/5000644 5000645 || [CISCO-PIXASA] [Primary] Failover message block alloc failed || url, wiki.quadrantsec.com/bin/view/Main/5000645 5000646 || [CISCO-PIXASA] Deny inbound protocol || url, wiki.quadrantsec.com/bin/view/Main/5000646 5000647 || [CISCO-PIXASA] Deny inbound [No xlate] || url, wiki.quadrantsec.com/bin/view/Main/5000647 5000648 || [CISCO-PIXASA] Deny inbound ICMP || url, wiki.quadrantsec.com/bin/view/Main/5000648 5000649 || [CISCO-PIXASA] Auth from inside to outside failed [too many pending auths] || url, wiki.quadrantsec.com/bin/view/Main/5000649 5000650 || [CISCO-PIXASA] Can't find authorization ACL for user || url, wiki.quadrantsec.com/bin/view/Main/5000650 5000651 || [CISCO-PIXASA] Downloaded ACL has parsing error || url, wiki.quadrantsec.com/bin/view/Main/5000651 5000652 || [CISCO-PIXASA] Downloaded ACL has config error || url, wiki.quadrantsec.com/bin/view/Main/5000652 5000653 || [CISCO-PIXASA] Unable to install ACL, downloaded for user || url, wiki.quadrantsec.com/bin/view/Main/5000653 5000654 || [CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds || url, wiki.quadrantsec.com/bin/view/Main/5000654 5000655 || [CISCO-PIXASA] FTP data connection failed || url, wiki.quadrantsec.com/bin/view/Main/5000655 5000656 || [CISCO-PIXASA] RCMD backconnection failed || url, wiki.quadrantsec.com/bin/view/Main/5000656 5000657 || [CISCO-PIXASA] LU sw_module_name error || url, wiki.quadrantsec.com/bin/view/Main/5000657 5000658 || [CISCO-PIXASA] LU allocate block [bytes] failed || url, wiki.quadrantsec.com/bin/view/Main/5000658 5000659 || [CISCO-PIXASA] LU allocate connection failed || url, wiki.quadrantsec.com/bin/view/Main/5000659 5000660 || [CISCO-PIXASA] LU look NAT failed || url, wiki.quadrantsec.com/bin/view/Main/5000660 5000661 || [CISCO-PIXASA] LU allocate xlate failed || url, wiki.quadrantsec.com/bin/view/Main/5000661 5000662 || [CISCO-PIXASA] LU make UDP connection for outside to inside failed || url, wiki.quadrantsec.com/bin/view/Main/5000662 5000663 || [CISCO-PIXASA] LU PAT port reserve failed || url, wiki.quadrantsec.com/bin/view/Main/5000663 5000664 || [CISCO-PIXASA] LU create static xlate interface failed || url, wiki.quadrantsec.com/bin/view/Main/5000664 5000665 || [CISCO-PIXASA] Memory allocation Error || url, wiki.quadrantsec.com/bin/view/Main/5000665 5000666 || [CISCO-PIXASA] Unable to open SNMP channel || url, wiki.quadrantsec.com/bin/view/Main/5000666 5000667 || [CISCO-PIXASA] Unable to open SNMP trap channel || url, wiki.quadrantsec.com/bin/view/Main/5000667 5000668 || [CISCO-PIXASA] Unable to receive an SNMP request on interface || url, wiki.quadrantsec.com/bin/view/Main/5000668 5000669 || [CISCO-PIXASA] Unable to send an SNMP response || url, wiki.quadrantsec.com/bin/view/Main/5000669 5000670 || [CISCO-PIXASA] Dropping SNMP request || url, wiki.quadrantsec.com/bin/view/Main/5000670 5000671 || [CISCO-PIXASA] PPTP tunnel hashtable insert failed || url, wiki.quadrantsec.com/bin/view/Main/5000671 5000672 || [CISCO-PIXASA] PPP virtual interface client ip allocation failed || url, wiki.quadrantsec.com/bin/view/Main/5000672 5000673 || [CISCO-PIXASA] H.323 library_name ASN Library failed to initialize || url, wiki.quadrantsec.com/bin/view/Main/5000673 5000674 || [CISCO-PIXASA] ACL = deny no sa created || url, wiki.quadrantsec.com/bin/view/Main/5000674 5000675 || [CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed || url, wiki.quadrantsec.com/bin/view/Main/5000675 5000676 || [CISCO-PIXASA] Denied ICMP || url, wiki.quadrantsec.com/bin/view/Main/5000676 5000677 || [CISCO-PIXASA] Denied ICMPv6 || url, wiki.quadrantsec.com/bin/view/Main/5000677 5000678 || [CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed || url, wiki.quadrantsec.com/bin/view/Main/5000678 5000679 || [CISCO-PIXASA] Denied new tunnel limit exceeded || url, wiki.quadrantsec.com/bin/view/Main/5000679 5000681 || [CISCO-PIXASA] IP routing table creation failure || url, wiki.quadrantsec.com/bin/view/Main/5000681 5000682 || [CISCO-PIXASA] Internal error || url, wiki.quadrantsec.com/bin/view/Main/5000682 5000683 || [CISCO-PIXASA] Arp update for IP address address to NPn failed || url, wiki.quadrantsec.com/bin/view/Main/5000683 5000684 || [CISCO-PIXASA] Route update for IP address failed || url, wiki.quadrantsec.com/bin/view/Main/5000684 5000685 || [CISCO-PIXASA] Deny MAC address possible spoof attempt || url, wiki.quadrantsec.com/bin/view/Main/5000685 5000686 || [CISCO-PIXASA] ARP inspection check failed [1] || url, wiki.quadrantsec.com/bin/view/Main/5000686 5000687 || [CISCO-PIXASA] ARP inspection check failed [2] || url, wiki.quadrantsec.com/bin/view/Main/5000687 5000690 || [CISCO-PIXASA] GSN tunnel limit exceeded || url, wiki.quadrantsec.com/bin/view/Main/5000690 5000691 || [CISCO-PIXASA] Radius Accounting Request has a bad header length || url, wiki.quadrantsec.com/bin/view/Main/5000691 5000692 || [CISCO-PIXASA] Unexpected error in the timer library || url, wiki.quadrantsec.com/bin/view/Main/5000692 5000693 || [CISCO-PIXASA] Error || url, wiki.quadrantsec.com/bin/view/Main/5000693 5000694 || [CISCO-PIXASA] An internal error occurred while processing a packet queue || url, wiki.quadrantsec.com/bin/view/Main/5000694 5000695 || [CISCO-PIXASA] Mrib notification failed || url, wiki.quadrantsec.com/bin/view/Main/5000695 5000696 || [CISCO-PIXASA] Entry-creation failed || url, wiki.quadrantsec.com/bin/view/Main/5000696 5000697 || [CISCO-PIXASA] Entry-update failed || url, wiki.quadrantsec.com/bin/view/Main/5000697 5000698 || [CISCO-PIXASA] MRIB registration failed || url, wiki.quadrantsec.com/bin/view/Main/5000698 5000699 || [CISCO-PIXASA] MRIB connection-open failed || url, wiki.quadrantsec.com/bin/view/Main/5000699 5000700 || [CISCO-PIXASA] MRIB unbind failed || url, wiki.quadrantsec.com/bin/view/Main/5000700 5000701 || [CISCO-PIXASA] MRIB table deletion failed || url, wiki.quadrantsec.com/bin/view/Main/5000701 5000702 || [CISCO-PIXASA] Initialization of string functionality failed || url, wiki.quadrantsec.com/bin/view/Main/5000702 5000703 || [CISCO-PIXASA] Internal error || url, wiki.quadrantsec.com/bin/view/Main/5000703 5000704 || [CISCO-PIXASA] Initialization failed || url, wiki.quadrantsec.com/bin/view/Main/5000704 5000705 || [CISCO-PIXASA] Communication error || url, wiki.quadrantsec.com/bin/view/Main/5000705 5000706 || [CISCO-PIXASA] Failed to set un-numbered interface || url, wiki.quadrantsec.com/bin/view/Main/5000706 5000707 || [CISCO-PIXASA] Interface Manager error || url, wiki.quadrantsec.com/bin/view/Main/5000707 5000708 || [CISCO-PIXASA] List error || url, wiki.quadrantsec.com/bin/view/Main/5000708 5000709 || [CISCO-PIXASA] Error || url, wiki.quadrantsec.com/bin/view/Main/5000709 5000710 || [CISCO-PIXASA] Error || url, wiki.quadrantsec.com/bin/view/Main/5000710 5000711 || [CISCO-PIXASA] An internal error occurred while processing a packet queue || url, wiki.quadrantsec.com/bin/view/Main/5000711 5000712 || [CISCO-PIXASA] Server unexpected error || url, wiki.quadrantsec.com/bin/view/Main/5000712 5000713 || [CISCO-PIXASA] Corrupted update || url, wiki.quadrantsec.com/bin/view/Main/5000713 5000714 || [CISCO-PIXASA] Asynchronous error || url, wiki.quadrantsec.com/bin/view/Main/5000714 5000715 || [CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work || url, wiki.quadrantsec.com/bin/view/Main/5000715 5000716 || [CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize || url, wiki.quadrantsec.com/bin/view/Main/5000716 5000717 || [CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped || url, wiki.quadrantsec.com/bin/view/Main/5000717 5000718 || [CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet || url, wiki.quadrantsec.com/bin/view/Main/5000718 5000719 || [CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group || url, wiki.quadrantsec.com/bin/view/Main/5000719 5000720 || [CISCO-PIXASA] Failed to save logging buffer using filename to FTP server || url, wiki.quadrantsec.com/bin/view/Main/5000720 5000721 || [CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename || url, wiki.quadrantsec.com/bin/view/Main/5000721 5000722 || [CISCO-PIXASA] NTP daemon Packet denied || url, wiki.quadrantsec.com/bin/view/Main/5000722 5000723 || [CISCO-PIXASA] NTP daemon Authentication failed || url, wiki.quadrantsec.com/bin/view/Main/5000723 5000724 || [CISCO-PIXASA] VPNClient Backup Server List Error || url, wiki.quadrantsec.com/bin/view/Main/5000724 5000725 || [CISCO-PIXASA] Error processing payload || url, wiki.quadrantsec.com/bin/view/Main/5000725 5000726 || [CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed || url, wiki.quadrantsec.com/bin/view/Main/5000726 5000727 || [CISCO-PIXASA] Tunnel Rejected User not member of group, check failed || url, wiki.quadrantsec.com/bin/view/Main/5000727 5000728 || [CISCO-PIXASA] Failed to retrieve identity certificate || url, wiki.quadrantsec.com/bin/view/Main/5000728 5000729 || [CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group || url, wiki.quadrantsec.com/bin/view/Main/5000729 5000730 || [CISCO-PIXASA] Request attempt failed! || url, wiki.quadrantsec.com/bin/view/Main/5000730 5000731 || [CISCO-PIXASA] Failed to process CONNECTED notify! || url, wiki.quadrantsec.com/bin/view/Main/5000731 5000732 || [CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel || url, wiki.quadrantsec.com/bin/view/Main/5000732 5000733 || [CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel || url, wiki.quadrantsec.com/bin/view/Main/5000733 5000734 || [CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access || url, wiki.quadrantsec.com/bin/view/Main/5000734 5000735 || [CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server || url, wiki.quadrantsec.com/bin/view/Main/5000735 5000736 || [CISCO-PIXASA] Remote user has been rejected by the Firewall Server || url, wiki.quadrantsec.com/bin/view/Main/5000736 5000737 || [CISCO-PIXASA] Remote user has been terminated by the Firewall Server || url, wiki.quadrantsec.com/bin/view/Main/5000737 5000738 || [CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password || url, wiki.quadrantsec.com/bin/view/Main/5000738 5000739 || [CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password [10/5] || url, wiki.quadrantsec.com/bin/view/Main/5000739 5000740 || [CISCO-PIXASA] Error Username too long - connection aborted || url, wiki.quadrantsec.com/bin/view/Main/5000740 5000741 || [CISCO-PIXASA] User Authorization failed || url, wiki.quadrantsec.com/bin/view/Main/5000741 5000742 || [CISCO-PIXASA] IKE Receiver Error reading from socket || url, wiki.quadrantsec.com/bin/view/Main/5000742 5000743 || [CISCO-PIXASA] Connection failed with peer, no trust-point defined || url, wiki.quadrantsec.com/bin/view/Main/5000743 5000744 || [CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked || url, wiki.quadrantsec.com/bin/view/Main/5000744 5000745 || [CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked || url, wiki.quadrantsec.com/bin/view/Main/5000745 5000746 || [CISCO-PIXASA] Querying keypair failed || url, wiki.quadrantsec.com/bin/view/Main/5000746 5000747 || [CISCO-PIXASA] Certificate enrollment failed for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000747 5000748 || [CISCO-PIXASA] Certificate validation failed || url, wiki.quadrantsec.com/bin/view/Main/5000748 5000749 || [CISCO-PIXASA] CRL polling failed for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000749 5000750 || [CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000750 5000751 || [CISCO-PIXASA] Failed to query CA certificate for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000751 5000752 || [CISCO-PIXASA] Failed to insert CRL for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000752 5000753 || [CISCO-PIXASA] SSL failed to set device certificate for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000753 5000754 || [CISCO-PIXASA] Certificate chain failed validation || url, wiki.quadrantsec.com/bin/view/Main/5000754 5000755 || [CISCO-PIXASA] Deny protocol || url, wiki.quadrantsec.com/bin/view/Main/5000755 5000756 || [CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan || url, wiki.quadrantsec.com/bin/view/Main/5000756 5000757 || [CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username. || url, wiki.quadrantsec.com/bin/view/Main/5000757 5000758 || [CISCO-PIXASA] Authentication failed for admin user || url, wiki.quadrantsec.com/bin/view/Main/5000758 5000759 || [CISCO-PIXASA] Authentication failed for network user || url, wiki.quadrantsec.com/bin/view/Main/5000759 5000760 || [CISCO-PIXASA] Denied ICMP || url, wiki.quadrantsec.com/bin/view/Main/5000760 5000761 || [CISCO-PIXASA] No matching connection for ICMP error || url, wiki.quadrantsec.com/bin/view/Main/5000761 5000762 || [CISCO-PIXASA] NAC Downloaded ACL parse failure || url, wiki.quadrantsec.com/bin/view/Main/5000762 5000763 || [CISCO-PIXASA] Shun add failed unable to allocate resources || url, wiki.quadrantsec.com/bin/view/Main/5000763 5000764 || [CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000764 5000765 || [CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed authentication [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000765 5000766 || [CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command || url, wiki.quadrantsec.com/bin/view/Main/5000766 5000767 || [CISCO-PIXASA] PPPoE failed to assign PPP IP address || url, wiki.quadrantsec.com/bin/view/Main/5000767 5000768 || [CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string || url, wiki.quadrantsec.com/bin/view/Main/5000768 5000769 || [CISCO-PIXASA] H225 message contains bad protocol discriminator hex || url, wiki.quadrantsec.com/bin/view/Main/5000769 5000770 || [CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded || url, wiki.quadrantsec.com/bin/view/Main/5000770 5000771 || [CISCO-PIXASA] Dropped UDP SNMP packet || url, wiki.quadrantsec.com/bin/view/Main/5000771 5000772 || [CISCO-PIXASA] Filter violation error conn number || url, wiki.quadrantsec.com/bin/view/Main/5000772 5000773 || [CISCO-PIXASA] Through-the-device packet to/from management-only network is denied || url, wiki.quadrantsec.com/bin/view/Main/5000773 5000774 || [CISCO-PIXASA] Dropping TCP packet, reason MSS exceeded, MSS size, data size || url, wiki.quadrantsec.com/bin/view/Main/5000774 5000775 || [CISCO-PIXASA] RTP conformance Dropping RTP packet || url, wiki.quadrantsec.com/bin/view/Main/5000775 5000776 || [CISCO-PIXASA] RTCP conformance Dropping RTCP packet || url, wiki.quadrantsec.com/bin/view/Main/5000776 5000777 || [CISCO-PIXASA] Dropping Skinny message length value too small || url, wiki.quadrantsec.com/bin/view/Main/5000777 5000778 || [CISCO-PIXASA] Dropping Skinny message length value too large || url, wiki.quadrantsec.com/bin/view/Main/5000778 5000779 || [CISCO-PIXASA] Dropping Skinny message id value not allowed || url, wiki.quadrantsec.com/bin/view/Main/5000779 5000780 || [CISCO-PIXASA] Dropping Skinny message id value registration not complete || url, wiki.quadrantsec.com/bin/view/Main/5000780 5000781 || [CISCO-PIXASA] Auto Update failed || url, wiki.quadrantsec.com/bin/view/Main/5000781 5000782 || [CISCO-PIXASA] Auto Update failed || url, wiki.quadrantsec.com/bin/view/Main/5000782 5000783 || [CISCO-PIXASA] DNS lookup for Server failed! || url, wiki.quadrantsec.com/bin/view/Main/5000783 5000784 || [CISCO-PIXASA] Name lookup failed for hostname during PKI operation || url, wiki.quadrantsec.com/bin/view/Main/5000784 5000785 || [CISCO-PIXASA] Failed to find a suitable trustpoint for issuer || url, wiki.quadrantsec.com/bin/view/Main/5000785 5000786 || [CISCO-PIXASA] Tunnel group search using certificate maps failed || url, wiki.quadrantsec.com/bin/view/Main/5000786 5000787 || [CISCO-PIXASA] IP address end configuration {FAILED|OK} || url, wiki.quadrantsec.com/bin/view/Main/5000787 5000788 || [CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection || url, wiki.quadrantsec.com/bin/view/Main/5000788 5000789 || [CISCO-PIXASA] Access denied URL chars || url, wiki.quadrantsec.com/bin/view/Main/5000789 5000790 || [CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000790 5000791 || [CISCO-PIXASA] EAPoUDP association failed to establish || url, wiki.quadrantsec.com/bin/view/Main/5000791 5000792 || [CISCO-PIXASA] EAPoUDP failed to get a response from host || url, wiki.quadrantsec.com/bin/view/Main/5000792 5000793 || [CISCO-PIXASA] HTTP - matched string in policy-map verification failed || url, wiki.quadrantsec.com/bin/view/Main/5000793 5000794 || [CISCO-PIXASA] Bad TCP hdr length - Possible network scan || url, wiki.quadrantsec.com/bin/view/Main/5000794 5000796 || [CISCO-PIXASA] IKE area failed to find centry for message || url, wiki.quadrantsec.com/bin/view/Main/5000796 5000797 || [CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision || url, wiki.quadrantsec.com/bin/view/Main/5000797 5000798 || [CISCO-PIXASA] Ignoring received malformed firewall record || url, wiki.quadrantsec.com/bin/view/Main/5000798 5000800 || [CISCO-PIXASA] Create peer failure, already at maximum of number of peers || url, wiki.quadrantsec.com/bin/view/Main/5000800 5000801 || [CISCO-PIXASA] Fail to send to IP || url, wiki.quadrantsec.com/bin/view/Main/5000801 5000802 || [CISCO-PIXASA] Socket open failure || url, wiki.quadrantsec.com/bin/view/Main/5000802 5000803 || [CISCO-PIXASA] Socket bind failure || url, wiki.quadrantsec.com/bin/view/Main/5000803 5000804 || [CISCO-PIXASA] Send HELLO response failure || url, wiki.quadrantsec.com/bin/view/Main/5000804 5000805 || [CISCO-PIXASA] Send HELLO request failure || url, wiki.quadrantsec.com/bin/view/Main/5000805 5000806 || [CISCO-PIXASA] Send CFG UPDATE failure || url, wiki.quadrantsec.com/bin/view/Main/5000806 5000807 || [CISCO-PIXASA] Send OOS indicator failure || url, wiki.quadrantsec.com/bin/view/Main/5000807 5000808 || [CISCO-PIXASA] Send TOPOLOGY indicator failure || url, wiki.quadrantsec.com/bin/view/Main/5000808 5000809 || [CISCO-PIXASA] Create of secure tunnel failure || url, wiki.quadrantsec.com/bin/view/Main/5000809 5000810 || [CISCO-PIXASA] Delete of secure tunnel failure || url, wiki.quadrantsec.com/bin/view/Main/5000810 5000811 || [CISCO-PIXASA] Queue send failure from ISR || url, wiki.quadrantsec.com/bin/view/Main/5000811 5000812 || [CISCO-PIXASA] Inbound socket select fail || url, wiki.quadrantsec.com/bin/view/Main/5000812 5000813 || [CISCO-PIXASA] Inbound socket read fail || url, wiki.quadrantsec.com/bin/view/Main/5000813 5000814 || [CISCO-PIXASA] Cannot continue to run || url, wiki.quadrantsec.com/bin/view/Main/5000814 5000815 || [CISCO-PIXASA] Fail to create access list for peer || url, wiki.quadrantsec.com/bin/view/Main/5000815 5000816 || [CISCO-PIXASA] Fail to create tunnel group for peer || url, wiki.quadrantsec.com/bin/view/Main/5000816 5000817 || [CISCO-PIXASA] Fail to delete tunnel group for peer || url, wiki.quadrantsec.com/bin/view/Main/5000817 5000818 || [CISCO-PIXASA] Fail to create crypto map for peer || url, wiki.quadrantsec.com/bin/view/Main/5000818 5000819 || [CISCO-PIXASA] Fail to delete crypto map for peer || url, wiki.quadrantsec.com/bin/view/Main/5000819 5000820 || [CISCO-PIXASA] Fail to create crypto policy for peer || url, wiki.quadrantsec.com/bin/view/Main/5000820 5000821 || [CISCO-PIXASA] Fail to delete crypto policy for peer || url, wiki.quadrantsec.com/bin/view/Main/5000821 5000822 || [CISCO-PIXASA] Fail to install LB NP rules || url, wiki.quadrantsec.com/bin/view/Main/5000822 5000823 || [CISCO-PIXASA] Fail to delete LB NP rules || url, wiki.quadrantsec.com/bin/view/Main/5000823 5000824 || [CISCO-PIXASA] Deny IP [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000824 5000825 || [CISCO-PIXASA] Deny TCP [no connection] || url, wiki.quadrantsec.com/bin/view/Main/5000825 5000826 || [CISCO-PIXASA] Failed to determine the security context || url, wiki.quadrantsec.com/bin/view/Main/5000826 5000827 || [CISCO-PIXASA] Failed to determine the security context || url, wiki.quadrantsec.com/bin/view/Main/5000827 5000828 || [CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol || url, wiki.quadrantsec.com/bin/view/Main/5000828 5000829 || [CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface || url, wiki.quadrantsec.com/bin/view/Main/5000829 5000830 || [CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface || url, wiki.quadrantsec.com/bin/view/Main/5000830 5000831 || [CISCO-PIXASA] Authentication failed for user [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000831 5000832 || [CISCO-PIXASA] Authorization permitted for user || url, wiki.quadrantsec.com/bin/view/Main/5000832 5000833 || [CISCO-PIXASA] Authorization denied for user from outside to inside on interface || url, wiki.quadrantsec.com/bin/view/Main/5000833 5000834 || [CISCO-PIXASA] Authorization denied [not authenticated] || url, wiki.quadrantsec.com/bin/view/Main/5000834 5000835 || [CISCO-PIXASA] Authorization denied for user || url, wiki.quadrantsec.com/bin/view/Main/5000835 5000836 || [CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts || url, wiki.quadrantsec.com/bin/view/Main/5000836 5000837 || [CISCO-PIXASA] AAA unable to complete the request || url, wiki.quadrantsec.com/bin/view/Main/5000837 5000838 || [CISCO-PIXASA] URL Server request failed URL || url, wiki.quadrantsec.com/bin/view/Main/5000838 5000839 || [CISCO-PIXASA] RIP hdr failed || url, wiki.quadrantsec.com/bin/view/Main/5000839 5000840 || [CISCO-PIXASA] No management IP address configured for transparent firewall || url, wiki.quadrantsec.com/bin/view/Main/5000840 5000841 || [CISCO-PIXASA] NAC is disabled for host || url, wiki.quadrantsec.com/bin/view/Main/5000841 5000842 || [CISCO-PIXASA] Login denied [Brute Force] [10/1] || url, wiki.quadrantsec.com/bin/view/Main/5000842 5000843 || [CISCO-PIXASA] Authorization failed || url, wiki.quadrantsec.com/bin/view/Main/5000843 5000844 || [CISCO-PIXASA] User authentication failed [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5000844 5000845 || [CISCO-PIXASA] VNPClient XAUTH Failed || url, wiki.quadrantsec.com/bin/view/Main/5000845 5000846 || [CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000846 5000847 || [CISCO-PIXASA] VPNClient User Authentication Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000847 5000848 || [CISCO-PIXASA] VPNClient Device Pass Thru Disabled || url, wiki.quadrantsec.com/bin/view/Main/5000848 5000849 || [CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled || url, wiki.quadrantsec.com/bin/view/Main/5000849 5000850 || [CISCO-PIXASA] Checksum Failure in database || url, wiki.quadrantsec.com/bin/view/Main/5000850 5000851 || [CISCO-PIXASA] vlan number not available for firewall interface || url, wiki.quadrantsec.com/bin/view/Main/5000851 5000852 || [CISCO-PIXASA] vlan number available for firewall interface || url, wiki.quadrantsec.com/bin/view/Main/5000852 5000853 || [CISCO-PIXASA] Bad register || url, wiki.quadrantsec.com/bin/view/Main/5000853 5000854 || [CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet! [0/1] || url, wiki.quadrantsec.com/bin/view/Main/5000854 5000855 || [CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint || url, wiki.quadrantsec.com/bin/view/Main/5000855 5000856 || [CISCO-PIXASA] PKCS 12 export failed || url, wiki.quadrantsec.com/bin/view/Main/5000856 5000857 || [CISCO-PIXASA] PKCS 12 import failed || url, wiki.quadrantsec.com/bin/view/Main/5000857 5000858 || [CISCO-PIXASA] uauth_lookup_net fail for uauth_in || url, wiki.quadrantsec.com/bin/view/Main/5000858 5000859 || [CISCO-PIXASA] Uauth null proxy error || url, wiki.quadrantsec.com/bin/view/Main/5000859 5000861 || [CISCO-PIXASA] Send failure || url, wiki.quadrantsec.com/bin/view/Main/5000861 5000862 || [CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder! || url, wiki.quadrantsec.com/bin/view/Main/5000862 5000863 || [CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation || url, wiki.quadrantsec.com/bin/view/Main/5000863 5000864 || [CISCO-PIXASA] Processing firewall record || url, wiki.quadrantsec.com/bin/view/Main/5000864 5000865 || [CISCO-PIXASA] Remote user has been granted access by the Firewall Server [Brute Force] [10/1] || url, wiki.quadrantsec.com/bin/view/Main/5000865 5000866 || [CISCO-PIXASA] The Firewall Server has requested a list of active user sessions || url, wiki.quadrantsec.com/bin/view/Main/5000866 5000867 || [CISCO-PIXASA] Got bad refCnt assigning || url, wiki.quadrantsec.com/bin/view/Main/5000867 5000868 || [CISCO-PIXASA] subroutine Q Send failure RetCode || url, wiki.quadrantsec.com/bin/view/Main/5000868 5000869 || [CISCO-PIXASA] subroutine name Bad message code Cod || url, wiki.quadrantsec.com/bin/view/Main/5000869 5000870 || [CISCO-PIXASA] IKE received response to a request from the utility || url, wiki.quadrantsec.com/bin/view/Main/5000870 5000871 || [CISCO-PIXASA] ERROR malformed Keepalive payload || url, wiki.quadrantsec.com/bin/view/Main/5000871 5000872 || [CISCO-PIXASA] Claims to be IOS but failed authentication || url, wiki.quadrantsec.com/bin/view/Main/5000872 5000873 || [CISCO-PIXASA] Dropped received IKE fragment || url, wiki.quadrantsec.com/bin/view/Main/5000873 5000874 || [CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous || url, wiki.quadrantsec.com/bin/view/Main/5000874 5000875 || [CISCO-PIXASA] IKE state_machine subtype FSM error history || url, wiki.quadrantsec.com/bin/view/Main/5000875 5000876 || [CISCO-PIXASA] Internal interprocess communication queue send failure || url, wiki.quadrantsec.com/bin/view/Main/5000876 5000877 || [CISCO-PIXASA] Send KEEPALIVE request failure || url, wiki.quadrantsec.com/bin/view/Main/5000877 5000878 || [CISCO-PIXASA] Send KEEPALIVE response failure || url, wiki.quadrantsec.com/bin/view/Main/5000878 5000879 || [CISCO-PIXASA] Fail to create group || url, wiki.quadrantsec.com/bin/view/Main/5000879 5000880 || [CISCO-PIXASA] Creation of group policy || url, wiki.quadrantsec.com/bin/view/Main/5000880 5000881 || [SENDMAIL] SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt || url,http://www.securityfocus.com/bid/38578 || url, wiki.quadrantsec.com/bin/view/Main/5000881 5000883 || [BRO] Successful Password Guessing [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000883 5000884 || [BRO] Protocol Violation [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000884 5000885 || [BRO] Sensitive Login [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000885 5000886 || [BRO] Sensitive Connection [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5000886 5000887 || [BRO] Sensitive Username in password [0/5] 5000888 || [JUNIPER] AS group missing 5000889 || [JUNIPER] Duplicate IP address 5000890 || [JUNIPER] BGP missing MD5 digest 5000891 || [JUNIPER] ARP address change 5000892 || [JUNIPER] BGP no route to host 5000893 || [JUNIPER] Login authentication error 5000894 || [JUNIPER] Possible authentication dictionary attack 5000895 || [JUNIPER] SONET Alarm 5000896 || [JUNIPER] Possible SONET ring failure 5000897 || [JUNIPER] SDH Alarm 5000898 || [FORTINET] Protect profile changed || url,wiki.quadrantsec.com/bin/view/Main/5000898 5000899 || [FORTINET] ICMP traffic disallowed || url,wiki.quadrantsec.com/bin/view/Main/5000899 5000900 || [FORTINET] Login from LCD || url,wiki.quadrantsec.com/bin/view/Main/5000900 5000901 || [FORTINET] Administrator Login || url,wiki.quadrantsec.com/bin/view/Main/5000901 5000902 || [FORTINET] Admin login from LCD failed || url,wiki.quadrantsec.com/bin/view/Main/5000902 5000903 || [FORTINET] Admin login failed || url,wiki.quadrantsec.com/bin/view/Main/5000903 5000904 || [FORTINET] To many bad admin login attempts || url,wiki.quadrantsec.com/bin/view/Main/5000904 5000905 || [FORTINET] Administrator logout || url,wiki.quadrantsec.com/bin/view/Main/5000905 5000906 || [FORTINET] IPS error mode || url,wiki.quadrantsec.com/bin/view/Main/5000906 5000907 || [FORTINET] Login failed [Brute Force] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5000907 5000908 || [FORTINET] Login accepted || url,wiki.quadrantsec.com/bin/view/Main/5000908 5000909 || [FORTINET] Disk full or almost full || url,wiki.quadrantsec.com/bin/view/Main/5000909 5000910 || [FORTINET] Fortigate has started || url,wiki.quadrantsec.com/bin/view/Main/5000910 5000911 || [FORTINET] Fortigate has entered error mode || url,wiki.quadrantsec.com/bin/view/Main/5000911 5000912 || [FORTINET] Fortigate has left error mode || url,wiki.quadrantsec.com/bin/view/Main/5000912 5000913 || [FORTINET] Administrator session timeout || url,wiki.quadrantsec.com/bin/view/Main/5000913 5000914 || [FORTINET] Abnormal Admin session drop || url,wiki.quadrantsec.com/bin/view/Main/5000914 5000915 || [FORTINET] Normal administrator logout || url,wiki.quadrantsec.com/bin/view/Main/5000915 5000916 || [FORTINET] Administrator is clearing/deleting logs || url,wiki.quadrantsec.com/bin/view/Main/5000916 5000917 || [FORTINET] Cannot store config. Low flash space || url,wiki.quadrantsec.com/bin/view/Main/5000917 5000918 || [FORTINET] Admin has left current VDOM || url,wiki.quadrantsec.com/bin/view/Main/5000918 5000919 || [FORTINET] Admin login failure || url,wiki.quadrantsec.com/bin/view/Main/5000919 5000920 || [FORTINET] Disk logs usage have exceeded || url,wiki.quadrantsec.com/bin/view/Main/5000920 5000921 || [FORTINET] Memory usage has exceeded || url,wiki.quadrantsec.com/bin/view/Main/5000921 5000922 || [FORTINET] Reason unknown error || url,wiki.quadrantsec.com/bin/view/Main/5000922 5000923 || [FORTINET] Out of error mode || url,wiki.quadrantsec.com/bin/view/Main/5000923 5000924 || [FORTINET] Administrator removed logs || url,wiki.quadrantsec.com/bin/view/Main/5000924 5000925 || [FORTINET] License about to expired || url,wiki.quadrantsec.com/bin/view/Main/5000925 5000926 || [FORTINET] Log disk is full || url,wiki.quadrantsec.com/bin/view/Main/5000926 5000927 || [FORTINET] Corrupted MAC packet detected || url,wiki.quadrantsec.com/bin/view/Main/5000927 5000928 || [FORTINET] Action reboot or shutdown || url,wiki.quadrantsec.com/bin/view/Main/5000928 5000929 || [FORTINET] Action reload || url,wiki.quadrantsec.com/bin/view/Main/5000929 5000930 || [FORTINET] Action factory_reset || url,wiki.quadrantsec.com/bin/view/Main/5000930 5000931 || [FORTINET] New access profile added || url,wiki.quadrantsec.com/bin/view/Main/5000931 5000932 || [FORTINET] Configuration change || url,wiki.quadrantsec.com/bin/view/Main/5000932 5000933 || [FORTINET] Access profile changed || url,wiki.quadrantsec.com/bin/view/Main/5000933 5000934 || [FORTINET] Access profile deleted || url,wiki.quadrantsec.com/bin/view/Main/5000934 5000935 || [FORTINET] New admin user added || url,wiki.quadrantsec.com/bin/view/Main/5000935 5000936 || [FORTINET] New user group added || url,wiki.quadrantsec.com/bin/view/Main/5000936 5000937 || [FORTINET] Flash memory is full! || url,wiki.quadrantsec.com/bin/view/Main/5000937 5000938 || [FORTINET] Admin authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000938 5000939 || [FORTINET] Admin authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000939 5000940 || [FORTINET] Admin authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5000940 5000941 || [FORTINET] Failed authentication to many times || url,wiki.quadrantsec.com/bin/view/Main/5000941 5000942 || [FORTINET] Chassis fan anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000942 5000943 || [FORTINET] Chassis temperature anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000943 5000944 || [FORTINET] Chassis voltage anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000944 5000945 || [FORTINET] Blade fan anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000945 5000946 || [FORTINET] Blade temperature anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000946 5000947 || [FORTINET] Blade voltage anomaly || url,wiki.quadrantsec.com/bin/view/Main/5000947 5000948 || [FORTINET] L2TP/PPTP/PPPoE Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5000948 5000949 || [FORTINET] L2TP/PPTP/PPPoE Authentication failed || url,wiki.quadrantsec.com/bin/view/Main/5000949 5000950 || [FORTINET] L2TP/PPTP/PPPoE Max connection reached || url,wiki.quadrantsec.com/bin/view/Main/5000950 5000951 || [FORTINET] L2TP/PPTP/PPPoE Not enough memory || url,wiki.quadrantsec.com/bin/view/Main/5000951 5000952 || [FORTINET] Data Leack Prevention Rule Matched || url,wiki.quadrantsec.com/bin/view/Main/5000952 5000953 || [FORTINET] Application control instant messaging message || url,wiki.quadrantsec.com/bin/view/Main/5000953 5000954 || [FORTINET] Application control instant message file tranfer message || url,wiki.quadrantsec.com/bin/view/Main/5000954 5000955 || [FORTINET] Application control instant message chat message || url,wiki.quadrantsec.com/bin/view/Main/5000955 5000956 || [FORTINET] Control instant message SIP session blocked message || url,wiki.quadrantsec.com/bin/view/Main/5000956 5000957 || [FORTINET] Application control instant message message || url,wiki.quadrantsec.com/bin/view/Main/5000957 5000958 || [FORTINET] An application control VoIP-SIP session blocked message || url,wiki.quadrantsec.com/bin/view/Main/5000958 5000959 || [FORTINET] E-mail of an infected file || url,wiki.quadrantsec.com/bin/view/Main/5000959 5000960 || [FORTINET] File blocked via e-mail || url,wiki.quadrantsec.com/bin/view/Main/5000960 5000961 || [FORTINET] File intercepted via e-mail || url,wiki.quadrantsec.com/bin/view/Main/5000961 5000962 || [FORTINET] Attack signature matched [see content] [1] || url,wiki.quadrantsec.com/bin/view/Main/5000962 5000963 || [FORTINET] Attack signature matched [see content] [2] || url,wiki.quadrantsec.com/bin/view/Main/5000963 5000964 || [FORTINET] Banned word was found || url,wiki.quadrantsec.com/bin/view/Main/5000964 5000965 || [FORTINET] Cookie was removed || url,wiki.quadrantsec.com/bin/view/Main/5000965 5000966 || [FORTINET] Java applet was removed || url,wiki.quadrantsec.com/bin/view/Main/5000966 5000967 || [FORTINET] ActiveX script was removed || url,wiki.quadrantsec.com/bin/view/Main/5000967 5000968 || [FORTINET] URL was in blacklist || url,wiki.quadrantsec.com/bin/view/Main/5000968 5000969 || [FORTINET] URL belongs to a denied category || url,wiki.quadrantsec.com/bin/view/Main/5000969 5000970 || [FORTINET] calloc failed || url,wiki.quadrantsec.com/bin/view/Main/5000970 5000971 || [FORTINET] Admin changed another admin's password || url,wiki.quadrantsec.com/bin/view/Main/5000971 5000972 || [FORTINET] FTP attempt || url,wiki.quadrantsec.com/bin/view/Main/5000972 5000973 || [FORTINET] Entered system conserve mode! || url,wiki.quadrantsec.com/bin/view/Main/5000973 5000974 || [FORTINET] Leaving system conserve mode || url,wiki.quadrantsec.com/bin/view/Main/5000974 5000975 || [FORTINET] General CRITICAL event || url,wiki.quadrantsec.com/bin/view/Main/5000975 5000976 || [SNORT] Not Suspicious Traffic || url,wiki.quadrantsec.com/bin/view/Main/5000976 5000977 || [SNORT] Unknown Traffic || url,wiki.quadrantsec.com/bin/view/Main/5000977 5000978 || [SNORT] Bad Traffic || url,wiki.quadrantsec.com/bin/view/Main/5000978 5000979 || [SNORT] Attempted Information Leak || url,wiki.quadrantsec.com/bin/view/Main/5000979 5000980 || [SNORT] Information Leak || url,wiki.quadrantsec.com/bin/view/Main/5000980 5000981 || [SNORT] Large Scale Information Leak || url,wiki.quadrantsec.com/bin/view/Main/5000981 5000982 || [SNORT] Attempted Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/5000982 5000983 || [SNORT] Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/5000983 5000984 || [SNORT] Attempted User Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000984 5000985 || [SNORT] Unsuccessful User Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000985 5000986 || [SNORT] Successful User Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000986 5000987 || [SNORT] Attempted Administrator Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000987 5000988 || [SNORT] Successful Administrator Privilege Gain || url,wiki.quadrantsec.com/bin/view/Main/5000988 5000989 || [SNORT] Decode of an RPC Query || url,wiki.quadrantsec.com/bin/view/Main/5000989 5000990 || [SNORT] Executable code was detected || url,wiki.quadrantsec.com/bin/view/Main/5000990 5000991 || [SNORT] A suspicious string was detected || url,wiki.quadrantsec.com/bin/view/Main/5000991 5000992 || [SNORT] A suspicious filename was detected || url,wiki.quadrantsec.com/bin/view/Main/5000992 5000993 || [SNORT] An attempted login using a suspicious username was detected || url,wiki.quadrantsec.com/bin/view/Main/5000993 5000995 || [SNORT] A system call was detected || url,wiki.quadrantsec.com/bin/view/Main/5000995 5000996 || [SNORT] A TCP connection was detected || url,wiki.quadrantsec.com/bin/view/Main/5000996 5000997 || [SNORT] A Network Trojan was detected || url,wiki.quadrantsec.com/bin/view/Main/5000997 5000998 || [SNORT] A client was using an unusual port || url,wiki.quadrantsec.com/bin/view/Main/5000998 5000999 || [SNORT] Detection of a Network Scan || url,wiki.quadrantsec.com/bin/view/Main/5000999 5001000 || [SNORT] Detection of a Denial of Service Attack || url,wiki.quadrantsec.com/bin/view/Main/5001000 5001001 || [SNORT] Detection of a non-standard protocol or event || url,wiki.quadrantsec.com/bin/view/Main/5001001 5001002 || [SNORT] Generic Protocol Command Decode || url,wiki.quadrantsec.com/bin/view/Main/5001002 5001003 || [SNORT] access to a potentially vulnerable web application || url,wiki.quadrantsec.com/bin/view/Main/5001003 5001004 || [SNORT] Web Application Attack || url,wiki.quadrantsec.com/bin/view/Main/5001004 5001005 || [SNORT] Misc activity || url,wiki.quadrantsec.com/bin/view/Main/5001005 5001006 || [SNORT] Misc Attack || url,wiki.quadrantsec.com/bin/view/Main/5001006 5001007 || [SNORT] Generic ICMP event || url,wiki.quadrantsec.com/bin/view/Main/5001007 5001008 || [SNORT] SCORE! Get the lotion! [Porn] || url,wiki.quadrantsec.com/bin/view/Main/5001008 5001009 || [SNORT] Potential Corporate Privacy Violation || url,wiki.quadrantsec.com/bin/view/Main/5001009 5001010 || [SNORT] Attempt to login by a default username and password || url,wiki.quadrantsec.com/bin/view/Main/5001010 5001011 || [SYSLOG] syslog-ng I/O error || url,wiki.quadrantsec.com/bin/view/Main/5001011 5001012 || [SYSLOG] syslog-ng suspend write || url,wiki.quadrantsec.com/bin/view/Main/5001012 5001013 || [SENDMAIL] Possible open proxy || url, wiki.quadrantsec.com/bin/view/Main/5001013 5001014 || [KISMET] Detected new managed network || url, wiki.quadrantsec.com/bin/view/Main/5001014 5001015 || [KISMET] Detected new ad-hoc network || url, wiki.quadrantsec.com/bin/view/Main/5001015 5001016 || [KISMET] Detected new probe network || url, wiki.quadrantsec.com/bin/view/Main/5001016 5001017 || [KISMET] Detected new turbocell network || url, wiki.quadrantsec.com/bin/view/Main/5001017 5001018 || [KISMET] Detected new data network || url, wiki.quadrantsec.com/bin/view/Main/5001018 5001019 || [KISMET] Found IP address range || url, wiki.quadrantsec.com/bin/view/Main/5001019 5001020 || [KISMET] Kismet starting to gather packets [Startup] || url, wiki.quadrantsec.com/bin/view/Main/5001020 5001021 || [KISMET] Older AirJack tool in use || url, wiki.quadrantsec.com/bin/view/Main/5001021 5001022 || [KISMET] Possible spoof/broken AP || url, wiki.quadrantsec.com/bin/view/Main/5001022 5001023 || [KISMET] Out-of-sequence BSS timestamp. Possible AP spoof || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001023 5001024 || [KISMET] AP change channels. Possibel AP spoof || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001024 5001025 || [KISMET] AP spoof with less-secure encryption || url, wiki.quadrantsec.com/bin/view/Main/5001025 5001026 || [KISMET] Spoofed disassociated/deauthenitcate packets || url, http://www.wve.org/entries/show/WVE-2005-0061 || url, http://www.wve.org/entries/show/WVE-2005-046 || url, http://www.wve.org/entries/show/WVE-2005-0045 || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001026 5001027 || [KISMET] DHCP DISCOVER send with Client-ID not matching MAC || url, wiki.quadrantsec.com/bin/view/Main/5001027 5001028 || [KISMET] Misconfigured or spoofed client [ignoring DHCP] || url, wiki.quadrantsec.com/bin/view/Main/5001028 5001029 || [KISMET] Spoofed client [incorrectly] injecting data || url, wiki.quadrantsec.com/bin/view/Main/5001029 5001030 || [KISMET] Invalid disconnect/deauthenticate || url, wiki.quadrantsec.com/bin/view/Main/5001030 5001031 || [KISMET] Possible client spoof/MAC cloning attack || url, wiki.quadrantsec.com/bin/view/Main/5001031 5001032 || [KISMET] Over-size SSID. Possible exploit attempt || url, wiki.quadrantsec.com/bin/view/Main/5001032 5001033 || [KISMET] Older Lucent/Orinico card scanning the network || url, wiki.quadrantsec.com/bin/view/Main/5001033 5001034 || [KISMET] Broadcom wireless improper SSID handling || url, http://www.wve.org/entries/show/WVE-2006-0071 || url, wiki.quadrantsec.com/bin/view/Main/5001034 5001035 || [KISMET] Windows D-Link improper SSID handling || url, http://www.wve.org/entries/show/WVE-2006-0072 || url, wiki.quadrantsec.com/bin/view/Main/5001035 5001036 || [KISMET] Windows Netgear over-size beacon frame || url, wiki.quadrantsec.com/bin/view/Main/5001036 5001037 || [KISMET] Older version of Netsumbler detected || url, wiki.quadrantsec.com/bin/view/Main/5001037 5001038 || [KISMET] Zero length probe/response packet || url, http://www.wve.org/entries/show/WVE-2005-0019 || url, wiki.quadrantsec.com/bin/view/Main/5001038 5001039 || [KISMET] Active scanning tool deteceted [probe] || url, wiki.quadrantsec.com/bin/view/Main/5001039 5001040 || [KISMET] Kismet shutting down || url, wiki.quadrantsec.com/bin/view/Main/5001040 5001041 || [HOSTAPD] Possible downgrade attack || url, wiki.quadrantsec.com/bin/view/Main/5001041 5001042 || [HOSTAPD] Possible downgrade attack || url, wiki.quadrantsec.com/bin/view/Main/5001042 5001043 || [HOSTAPD] UPnP DoS excessive addresses [DoS] || url, wiki.quadrantsec.com/bin/view/Main/5001043 5001044 || [HOSTAPD] Radius - Starting accounting session || url, wiki.quadrantsec.com/bin/view/Main/5001044 5001045 || [HOSTAPD] WPA pairwise key handshake complete || url, wiki.quadrantsec.com/bin/view/Main/5001045 5001046 || [HOSTAPD] IEEE 802.11 - Disassociated || url, wiki.quadrantsec.com/bin/view/Main/5001046 5001047 || [HOSTAPD] IEEE 802.11 - Associated || url, wiki.quadrantsec.com/bin/view/Main/5001047 5001048 || [HOSTAPD] WPA - group key handshake complete [RSN] || url, wiki.quadrantsec.com/bin/view/Main/5001048 5001049 || [HOSTAPD] IEEE 802.11 - deauthenticated due to local deauth request || url, wiki.quadrantsec.com/bin/view/Main/5001049 5001050 || [RSYNC] mkdir failure. Permission denied || url, wiki.quadrantsec.com/bin/view/Main/5001050 5001051 || [RSYNC] stat failure. Permission denied || url, wiki.quadrantsec.com/bin/view/Main/5001051 5001052 || [RSYNC] Inbound rsync connection || url, wiki.quadrantsec.com/bin/view/Main/5001052 5001053 || [RSYNC] Connection closed stats || url, wiki.quadrantsec.com/bin/view/Main/5001053 5001054 || [RSYNC] Authentication failure || url, wiki.quadrantsec.com/bin/view/Main/5001054 5001055 || [RSYNC] Some files could not be transferred || url, wiki.quadrantsec.com/bin/view/Main/5001055 5001056 || [WINDOWS-MISC] Disk corruption [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5001056 5001057 || [APC-EMU] Humidity violation || url,wiki.quadrantsec.com/bin/view/Main/5001057 5001058 || [APC-EMU] Humidity violation cleared || url,wiki.quadrantsec.com/bin/view/Main/5001058 5001059 || [APC-EMU] Front door opened || url,wiki.quadrantsec.com/bin/view/Main/5001059 5001060 || [APC-EMU] Front door closed || url,wiki.quadrantsec.com/bin/view/Main/5001060 5001061 || [ARP] arpwatch - New activity [new machine] || url,wiki.quadrantsec.com/bin/view/Main/5001061 5001062 || [ARP] arpwatch - Broadcast address detected || url,wiki.quadrantsec.com/bin/view/Main/5001062 5001063 || [ARP] arpwatch - Bogus IP address detected || url,wiki.quadrantsec.com/bin/view/Main/5001063 5001064 || [ARP] arpwatch - Ethernet mismatch [MAC != ARP] || url,wiki.quadrantsec.com/bin/view/Main/5001064 5001065 || [ASTERISK] Invalid to address || url,wiki.quadrantsec.com/bin/view/Main/5001065 5001066 || [BONDING] Interface is up || url,wiki.quadrantsec.com/bin/view/Main/5001066 5001067 || [BONDING] Interface is down || url,wiki.quadrantsec.com/bin/view/Main/5001067 5001069 || [BONDING] Link status down for active interface || url,wiki.quadrantsec.com/bin/view/Main/5001069 5001070 || [BONDING] Making interface the new active one || url,wiki.quadrantsec.com/bin/view/Main/5001070 5001071 || [BONDING] Interface is up and now the active interface || url,wiki.quadrantsec.com/bin/view/Main/5001071 5001072 || [BONDING] ARP monitoring enabled || url,wiki.quadrantsec.com/bin/view/Main/5001072 5001073 || [BONDING] Enslaving interface || url,wiki.quadrantsec.com/bin/view/Main/5001073 5001074 || [BONDING] Released all slaves || url,wiki.quadrantsec.com/bin/view/Main/5001074 5001075 || [BONDING] Failed to get speed or duplex || url,wiki.quadrantsec.com/bin/view/Main/5001075 5001076 || [CACTI] CPU went above threshold || url,wiki.quadrantsec.com/bin/view/Main/5001076 5001077 || [CACTI] CPU restored to normal || url,wiki.quadrantsec.com/bin/view/Main/5001077 5001078 || [IMAPD] Exessive login failures || url,wiki.quadrantsec.com/bin/view/Main/5001078 5001079 || [ARP] arpalert - Detected new machine on the network [mac-new] || url,wiki.quadrantsec.com/bin/view/Main/5001079 5001080 || [ARP] arpalert - MAC address flood || url,wiki.quadrantsec.com/bin/view/Main/5001080 5001081 || [ARP] arpalert - MAC address blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5001081 5001082 || [ARP] arpalert - MAC address changed || url,wiki.quadrantsec.com/bin/view/Main/5001082 5001083 || [SONICWALL] Possible TCP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001083 5001084 || [SONICWALL] IPS Detection Alert || url,wiki.quadrantsec.com/bin/view/Main/5001084 5001085 || [SONICWALL] Possible UDP Port Scan || url,wiki.quadrantsec.com/bin/view/Main/5001085 5001086 || [CISCO-PIXASA] Access denied URL || url, wiki.quadrantsec.com/bin/view/Main/5001086 5001087 || [CISCO-PIXASA] AAA user authentication successful [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5001087 5001088 || [CISCO-PIXASA] Disconnect by SSH server || url, wiki.quadrantsec.com/bin/view/Main/5001088 5001089 || [CISCO-PIXASA] Access denied URL chars - HTTPS || url, wiki.quadrantsec.com/bin/view/Main/5001089 5001090 || [SONICWALL] IPS Detection Alert || url,wiki.quadrantsec.com/bin/view/Main/5001090 5001091 || [CISCO-PIXASA] Access denied URL - HTTPS || url, wiki.quadrantsec.com/bin/view/Main/5001091 5001092 || [CISCO-PIXASA] AAA user authentication Reject [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5001092 5001093 || [MISC] Weblabyrinth - New host logged! || url,wiki.quadrantsec.com/bin/view/Main/5001093 5001094 || [SENDMAIL] Insufficient system resources [Remote] [0/5] || url, wiki.quadrantsec.com/bin/view/Main/5001094 5001095 || [MISC] Weblabyrinth - Crawler Ensnared! || url,wiki.quadrantsec.com/bin/view/Main/5001095 5001096 || [WINDOWS-MISC] MSSQLServer I/O error || url,wiki.quadrantsec.com/bin/view/Main/5001096 5001097 || [VMWARE] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5001097 5001098 || [VMWARE] User logoff successful || url,wiki.quadrantsec.com/bin/view/Main/5001098 5001099 || [VMWARE] Lost access to volume || url,wiki.quadrantsec.com/bin/view/Main/5001098 5001100 || [VMWARE] Possible HD/Datastore failure || url,wiki.quadrantsec.com/bin/view/Main/5001100 5001101 || [VMWARE] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5001101 5001102 || [XINETD] Courierpassd|Poppassd - Old password is incorrect || url,wiki.quadrantsec.com/bin/view/Main/5001102 5001103 || [COURIER] Courierpassd|Poppassd - Changed user password || url,wiki.quadrantsec.com/bin/view/Main/5001103 5001104 || [LINUX-KERNEL] IPTABLES TCP || url,wiki.quadrantsec.com/bin/view/Main/5001104 5001105 || [LINUX-KERNEL] IPTABLES TCP || url,wiki.quadrantsec.com/bin/view/Main/5001105 5001120 || [HP-E-SERIES-SWITCH] Invalid username/password || url,wiki.quadrantsec.com/bin/view/Main/5001120 5001121 || [HP-E-SERIES-SWITCH] port is off-line || url,wiki.quadrantsec.com/bin/view/Main/5001121 5001122 || [HP-E-SERIES-SWITCH] System went down: || url,wiki.quadrantsec.com/bin/view/Main/5001122 5001123 || [HP-E-SERIES-SWITCH] Port Security Violation || url,wiki.quadrantsec.com/bin/view/Main/5001123 5001124 || [HP-E-SERIES-L3-SWITCH] port is off-line || url,wiki.quadrantsec.com/bin/view/Main/5001124 5001125 || [HP-E-SERIES-L3-SWITCH] Invalid username/password || url,wiki.quadrantsec.com/bin/view/Main/5001125 5001126 || [ADTRAN] TCP INTERNAL BLOCK || url,wiki.quadrantsec.com/bin/view/Main/5001126 5001127 || [ADTRAN] UDP INTERNAL BLOCK || url,wiki.quadrantsec.com/bin/view/Main/5001127 5001129 || [JUNIPER] The scheduled IDP security package update failed to start || url,wiki.quadrantsec.com/bin/view/Main/5001129 5001130 || [JUNIPER] IDP daemon encountered an internal error || url,wiki.quadrantsec.com/bin/view/Main/5001130 5001131 || [JUNIPER] An attempt to start IDP policy daemon failed || url,wiki.quadrantsec.com/bin/view/Main/5001131 5001132 || [JUNIPER] IDP Attack log generated for attack || url,wiki.quadrantsec.com/bin/view/Main/5001132 5001133 || [JUNIPER] IDP Attack log generated for attack in a logical system || url,wiki.quadrantsec.com/bin/view/Main/5001133 5001134 || [JUNIPER] IDP policy commit has completed || url,wiki.quadrantsec.com/bin/view/Main/5001134 5001135 || [JUNIPER] There was an error while trying to commit the active policy in IDPD || url,wiki.quadrantsec.com/bin/view/Main/5001135 5001136 || [JUNIPER] IDP IPv6 support is not enabled for the rulebase || url,wiki.quadrantsec.com/bin/view/Main/5001136 5001137 || [JUNIPER] IDP policy compiler encountered an error while compiling or packaging the policy || url,wiki.quadrantsec.com/bin/view/Main/5001137 5001138 || [JUNIPER] A compiled and optimized IDP policy could not be loaded into IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001138 5001139 || [JUNIPER] A compiled and optimized IDP policy was loaded successfully into the IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001139 5001140 || [JUNIPER] A running IDP policy could not be unloaded from IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001140 5001141 || [JUNIPER] A running IDP policy was unloaded successfully from the IDP engine || url,wiki.quadrantsec.com/bin/view/Main/5001141 5001142 || [JUNIPER] The scheduled IDP security package update has started || url,wiki.quadrantsec.com/bin/view/Main/5001142 5001143 || [JUNIPER] IDP background process has returned the security package install result || url,wiki.quadrantsec.com/bin/view/Main/5001143 5001144 || [JUNIPER] IDP session threshold crossing event || url,wiki.quadrantsec.com/bin/view/Main/5001144 5001145 || [JUNIPER] IDP session threshold crossing event in a logical system || url,wiki.quadrantsec.com/bin/view/Main/5001145 5001146 || [JUNIPER] IDP signature update license key has expired || url,wiki.quadrantsec.com/bin/view/Main/5001146 5001147 || [JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred || url,wiki.quadrantsec.com/bin/view/Main/5001147 5001148 || [JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred in logical system || url,wiki.quadrantsec.com/bin/view/Main/5001148 5001149 || [JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack in a logical system || url,wiki.quadrantsec.com/bin/view/Main/5001149 5001150 || [JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack || url,wiki.quadrantsec.com/bin/view/Main/5001150 5001151 || [WINDOWS-AUTH] Login failure - Unknown username or bad password - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001151 5001152 || [WINDOWS-AUTH] Login failure - Account login time restriction || url,wiki.quadrantsec.com/bin/view/Main/5001152 5001153 || [WINDOWS-AUTH] Login failure - Account currently disabled [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5001153 5001154 || [WINDOWS-AUTH] Login failure - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5001154 5001155 || [WINDOWS-AUTH] Login failure - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5001155 5001156 || [WINDOWS-AUTH] Login failure - User not granted login type || url,wiki.quadrantsec.com/bin/view/Main/5001156 5001157 || [WINDOWS-AUTH] Login failure - Account password is expired || url,wiki.quadrantsec.com/bin/view/Main/5001157 5001158 || [WINDOWS-AUTH] Login failure - Internal error || url,wiki.quadrantsec.com/bin/view/Main/5001158 5001159 || [WINDOWS-AUTH] Login failure - Account locked [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5001159 5001160 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001160 5001161 || [WINDOWS-AUTH] User account unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001161 5001162 || [WINDOWS-AUTH] Security enabled group created || url,wiki.quadrantsec.com/bin/view/Main/5001162 5001163 || [WINDOWS-AUTH] Security enabled group deleted || url,wiki.quadrantsec.com/bin/view/Main/5001163 5001164 || [WINDOWS-AUTH] Group account created || url,wiki.quadrantsec.com/bin/view/Main/5001164 5001165 || [WINDOWS-AUTH] Group account deleted || url,wiki.quadrantsec.com/bin/view/Main/5001165 5001166 || [WINDOWS-AUTH] Security enabled global group member added || url,wiki.quadrantsec.com/bin/view/Main/5001166 5001167 || [WINDOWS-AUTH] Security enabled global group member removed || url,wiki.quadrantsec.com/bin/view/Main/5001167 5001168 || [WINDOWS-AUTH] Security enabled global group deleted || url,wiki.quadrantsec.com/bin/view/Main/5001168 5001169 || [WINDOWS-AUTH] Security enabled local group created || url,wiki.quadrantsec.com/bin/view/Main/5001169 5001170 || [WINDOWS-AUTH] Security enabled local group member added || url,wiki.quadrantsec.com/bin/view/Main/5001170 5001171 || [WINDOWS-AUTH] Security enabled local group member removed || url,wiki.quadrantsec.com/bin/view/Main/5001171 5001172 || [WINDOWS-AUTH] Security enabled local group deleted || url,wiki.quadrantsec.com/bin/view/Main/5001172 5001173 || [WINDOWS-AUTH] Security enabled local group changed || url,wiki.quadrantsec.com/bin/view/Main/5001173 5001174 || [WINDOWS-AUTH] Security enabled group changed || url,wiki.quadrantsec.com/bin/view/Main/5001174 5001176 || [WINDOWS-AUTH] Security enabled universal group created || url,wiki.quadrantsec.com/bin/view/Main/5001176 5001177 || [WINDOWS-AUTH] Security enabled universal group changed || url,wiki.quadrantsec.com/bin/view/Main/5001177 5001178 || [WINDOWS-AUTH] Security enabled universal group member added || url,wiki.quadrantsec.com/bin/view/Main/5001178 5001179 || [WINDOWS-AUTH] Security enabled group member removed || url,wiki.quadrantsec.com/bin/view/Main/5001179 5001180 || [WINDOWS-AUTH] Security enabled group member deleted || url,wiki.quadrantsec.com/bin/view/Main/5001180 5001181 || [WINDOWS-AUTH] RDP maximum allowed failed logon attempts || url,wiki.quadrantsec.com/bin/view/Main/5001181 5001182 || [WINDOWS-MISC] Application uninstall || url,wiki.quadrantsec.com/bin/view/Main/5001182 5001183 || [WINDOWS-MISC] Application install || url,wiki.quadrantsec.com/bin/view/Main/5001183 5001184 || [WINDOWS-MISC] Windows is shutting down || url,wiki.quadrantsec.com/bin/view/Main/5001184 5001185 || [WINDOWS-MISC] Windows audit log was cleared || url,wiki.quadrantsec.com/bin/view/Main/5001185 5001186 || [WINDOWS-AUTH] Windows login attempt (ignored). Duplicated || url,wiki.quadrantsec.com/bin/view/Main/5001186 5001187 || [WINDOWS-AUTH] Remote access login failure || url,wiki.quadrantsec.com/bin/view/Main/5001187 5001188 || [WINDOWS-AUTH] Remote access login success || url,wiki.quadrantsec.com/bin/view/Main/5001188 5001189 || [WINDOWS-AUTH] Computer account changed/deleted || url,wiki.quadrantsec.com/bin/view/Main/5001189 5001190 || [WINDOWS-AUTH] Computer account changed/deleted || url,wiki.quadrantsec.com/bin/view/Main/5001190 5001191 || [WINDOWS-MISC] File system full || url,wiki.quadrantsec.com/bin/view/Main/5001191 5001192 || [WINDOWS-AUTH] Account locked out [multiple login errors] [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5001192 5001193 || [WINDOWS-AUTH] General account database changed || url,wiki.quadrantsec.com/bin/view/Main/5001193 5001194 || [WINDOWS-MISC] System time has changed || url,wiki.quadrantsec.com/bin/view/Main/5001194 5001195 || [WINDOWS-AUTH] DC - Integrity check on decrypted || url,wiki.quadrantsec.com/bin/view/Main/5001195 5001196 || [WINDOWS-AUTH] DC - Possible replay attack || url,wiki.quadrantsec.com/bin/view/Main/5001196 5001197 || [WINDOWS-AUTH] DC - Clock skew too great || url,wiki.quadrantsec.com/bin/view/Main/5001197 5001198 || [CISCO-IOS] Fans had a rotation error reported [0/2] || url,wiki.quadrantsec.com/bin/view/Main/5001198 5001199 || [CISCO-IOS] Power Controller reports power Imax error detected || url,wiki.quadrantsec.com/bin/view/Main/5001190 5001200 || [CITRIX] Netscaler - URL Transformation action matched URL || url,wiki.quadrantsec.com/bin/view/Main/5001200 || url,support.citrix.com/article/CTX123875 5001201 || [CITRIX] Netscaler - URL Transformation action didn't match URL || url,wiki.quadrantsec.com/bin/view/Main/5001201 || url,support.citrix.com/article/CTX123875 5001202 || [CITRIX] Netscaler - AppFw Request error. Generated 400 Response || url,wiki.quadrantsec.com/bin/view/Main/5001202 || url,support.citrix.com/article/CTX123875 5001203 || [CITRIX] Netscaler - Add a confidential field || url,wiki.quadrantsec.com/bin/view/Main/5001203 || url,support.citrix.com/article/CTX123875 5001204 || [CITRIX] Netscaler - Add an AppFw Field Type || url,wiki.quadrantsec.com/bin/view/Main/5001204 || url,support.citrix.com/article/CTX123875 5001205 || [CITRIX] Netscaler - Add an AppFw profile || url,wiki.quadrantsec.com/bin/view/Main/5001205 || url,support.citrix.com/article/CTX123875 5001206 || [CITRIX] Netscaler - AppFw rule bound to HTML profile || url,wiki.quadrantsec.com/bin/view/Main/5001206 || url,support.citrix.com/article/CTX123875 5001207 || [CITRIX] Netscaler - AppFw rule bound to XML profile || url,wiki.quadrantsec.com/bin/view/Main/5001207 || url,support.citrix.com/article/CTX123875 5001208 || [CITRIX] Netscaler - Memory allocation request failed || url,wiki.quadrantsec.com/bin/view/Main/5001208 || url,support.citrix.com/article/CTX123875 5001209 || [CITRIX] Netscaler - Remove a confidential field || url,wiki.quadrantsec.com/bin/view/Main/5001209 || url,support.citrix.com/article/CTX123875 5001210 || [CITRIX] Netscaler - Remove an Appfw Field Type || url,wiki.quadrantsec.com/bin/view/Main/5001210 || url,support.citrix.com/article/CTX123875 5001211 || [CITRIX] Netscaler - Remove an AppFw profile || url,wiki.quadrantsec.com/bin/view/Main/5001211 || url,support.citrix.com/article/CTX123875 5001212 || [CITRIX] Netscaler - Appsecure uthread a stack error || url,wiki.quadrantsec.com/bin/view/Main/5001212 || url,support.citrix.com/article/CTX123875 5001213 || [CITRIX] Netscaler - SNMP module stopped an alarm || url,wiki.quadrantsec.com/bin/view/Main/5001213 || url,support.citrix.com/article/CTX123875 5001214 || [CITRIX] Netscaler - SNMP module alarm || url,wiki.quadrantsec.com/bin/view/Main/5001214 || url,support.citrix.com/article/CTX123875 5001215 || [CITRIX] Netscaler - AppFw Buffer Overflow violation in Cookie || url,wiki.quadrantsec.com/bin/view/Main/5001215 || url,support.citrix.com/article/CTX123875 5001216 || [CITRIX] Netscaler - AppFw Buffer Overflow violation in HTTP Headers || url,wiki.quadrantsec.com/bin/view/Main/5001216 || url,support.citrix.com/article/CTX123875 5001217 || [CITRIX] Netscaler - AppFw Buffer Overflow violation in URL || url,wiki.quadrantsec.com/bin/view/Main/5001217 || url,support.citrix.com/article/CTX123875 5001218 || [CITRIX] Netscaler - AppFw Cookie Consistency violation || url,wiki.quadrantsec.com/bin/view/Main/5001218 || url,support.citrix.com/article/CTX123875 5001219 || [CITRIX] Netscaler - AppFw CSRF tag violation || url,wiki.quadrantsec.com/bin/view/Main/5001219 || url,support.citrix.com/article/CTX123875 5001220 || [CITRIX] Netscaler - AppFw DenyURL violation || url,wiki.quadrantsec.com/bin/view/Main/5001220 || url,support.citrix.com/article/CTX123875 5001221 || [CITRIX] Netscaler - AppFw Field Consistency violation || url,wiki.quadrantsec.com/bin/view/Main/5001221 || url,support.citrix.com/article/CTX123875 5001222 || [CITRIX] Netscaler - AppFw Field Format violation || url,wiki.quadrantsec.com/bin/view/Main/5001222 || url,support.citrix.com/article/CTX123875 5001223 || [CITRIX] Netscaler - AppFw profile invoked || url,wiki.quadrantsec.com/bin/view/Main/5001223 || url,support.citrix.com/article/CTX123875 5001224 || [CITRIX] Netscaler - AppFw built-in profile invoked || url,wiki.quadrantsec.com/bin/view/Main/5001224 || url,support.citrix.com/article/CTX123875 5001225 || [CITRIX] Netscaler - AppFw Referer header violation || url,wiki.quadrantsec.com/bin/view/Main/5001225 || url,support.citrix.com/article/CTX123875 5001226 || [CITRIX] Netscaler - AppFw Safe Commerce violation || url,wiki.quadrantsec.com/bin/view/Main/5001226 || url,support.citrix.com/article/CTX123875 5001227 || [CITRIX] Netscaler - AppFw Safe Commerce violation detected and transformed || url,wiki.quadrantsec.com/bin/view/Main/5001227 || url,support.citrix.com/article/CTX123875 5001228 || [CITRIX] Netscaler - AppFw Safe Object violation || url,wiki.quadrantsec.com/bin/view/Main/5001228 || url,support.citrix.com/article/CTX123875 5001229 || [CITRIX] Netscaler - AppFw SQL Injection violation || url,wiki.quadrantsec.com/bin/view/Main/5001229 || url,support.citrix.com/article/CTX123875 5001230 || [CITRIX] Netscaler - AppFw StartURL violation || url,wiki.quadrantsec.com/bin/view/Main/5001230 || url,support.citrix.com/article/CTX123875 5001231 || [CITRIX] Netscaler - Boundary mismatch in mime message || url,wiki.quadrantsec.com/bin/view/Main/5001231 || url,support.citrix.com/article/CTX123875 5001232 || [CITRIX] Netscaler - XML Attachment CallBack is NULL but HTTP message is MIME Attachment message || url,wiki.quadrantsec.com/bin/view/Main/5001232 || url,support.citrix.com/article/CTX123875 5001233 || [CITRIX] Netscaler - XML Message has an Attachment with Illegal Content-Type || url,wiki.quadrantsec.com/bin/view/Main/5001233 || url,support.citrix.com/article/CTX123875 5001234 || [CITRIX] Netscaler - String is supposed to be MIME Header. But it is not according to the format of Mime Header HeaderName:HeaderValue || url,wiki.quadrantsec.com/bin/view/Main/5001234 || url,support.citrix.com/article/CTX123875 5001235 || [CITRIX] Netscaler - HTTP Content type should be 'application/xop+xml' or '^(text|application)/([a-zA-Z]*+ xml|xml)' || url,wiki.quadrantsec.com/bin/view/Main/5001235 || url,support.citrix.com/article/CTX123875 5001236 || [CITRIX] Netscaler - XML Message has an Attachment with size greater than the Configured Max Attachment Size || url,wiki.quadrantsec.com/bin/view/Main/5001236 || url,support.citrix.com/article/CTX123875 5001237 || [CITRIX] Netscaler - Attachment Found in the XML Message || url,wiki.quadrantsec.com/bin/view/Main/5001237 || url,support.citrix.com/article/CTX123875 5001238 || [CITRIX] Netscaler - AppFw XML DDoS Send Fail Error || url,wiki.quadrantsec.com/bin/view/Main/5001238 || url,support.citrix.com/article/CTX123875 5001239 || [CITRIX] Netscaler - Exceeds max character data length || url,wiki.quadrantsec.com/bin/view/Main/5001239 || url,support.citrix.com/article/CTX123875 5001240 || [CITRIX] Netscaler - DTD present in the XML message || url,wiki.quadrantsec.com/bin/view/Main/5001240 || url,support.citrix.com/article/CTX123875 5001241 || [CITRIX] Netscaler - External entities present in the XML message || url,wiki.quadrantsec.com/bin/view/Main/5001241 || url,support.citrix.com/article/CTX123875 5001242 || [CITRIX] Netscaler - AppFw XML DoS Maximum Error || url,wiki.quadrantsec.com/bin/view/Main/5001242 || url,support.citrix.com/article/CTX123875 5001243 || [CITRIX] Netscaler - Element exceeds maximum attributes per element || url,wiki.quadrantsec.com/bin/view/Main/5001243 || url,support.citrix.com/article/CTX123876 5001244 || [CITRIX] Netscaler - Element an attribute exceeds maximum name length || url,wiki.quadrantsec.com/bin/view/Main/5001244 || url,support.citrix.com/article/CTX123875 5001245 || [CITRIX] Netscaler - Element attribute exceeds maximum attribute value length || url,wiki.quadrantsec.com/bin/view/Main/5001245 || url,support.citrix.com/article/CTX123875 5001246 || [CITRIX] Netscaler - Element exceeds maximum elements per message || url,wiki.quadrantsec.com/bin/view/Main/5001246 || url,support.citrix.com/article/CTX123875 5001247 || [CITRIX] Netscaler - Parent of element exceed maximum children || url,wiki.quadrantsec.com/bin/view/Main/5001247 || url,support.citrix.com/article/CTX123875 5001248 || [CITRIX] Netscaler - Element exceeds maximum element depth || url,wiki.quadrantsec.com/bin/view/Main/5001248 || url,support.citrix.com/article/CTX123875 5001249 || [CITRIX] Netscaler - Element exceeds maximum element name length || url,wiki.quadrantsec.com/bin/view/Main/5001249 || url,support.citrix.com/article/CTX123875 5001250 || [CITRIX] Netscaler - Exceeds max number of entity expansions || url,wiki.quadrantsec.com/bin/view/Main/5001250 || url,support.citrix.com/article/CTX123875 5001251 || [CITRIX] Netscaler - Exceeds max entity expansion depth || url,wiki.quadrantsec.com/bin/view/Main/5001251 || url,support.citrix.com/article/CTX123875 5001252 || [CITRIX] Netscaler - Message size exceeds max size || url,wiki.quadrantsec.com/bin/view/Main/5001252 || url,support.citrix.com/article/CTX123875 5001253 || [CITRIX] Netscaler - Element exceeds maximum active namespaces || url,wiki.quadrantsec.com/bin/view/Main/5001253 || url,support.citrix.com/article/CTX123875 5001254 || [CITRIX] Netscaler - In element a namespace exceeds maximum URI length || url,wiki.quadrantsec.com/bin/view/Main/5001254 || url,support.citrix.com/article/CTX123875 5001255 || [CITRIX] Netscaler - Node exceeds maximum nodes per message || url,wiki.quadrantsec.com/bin/view/Main/5001255 || url,support.citrix.com/article/CTX123875 5001256 || [CITRIX] Netscaler - Message size less than min size || url,wiki.quadrantsec.com/bin/view/Main/5001256 || url,support.citrix.com/article/CTX123875 5001257 || [CITRIX] Netscaler - Processing instructions present in the XML message || url,wiki.quadrantsec.com/bin/view/Main/5001257 || url,support.citrix.com/article/CTX123875 5001258 || [CITRIX] Netscaler - AppFw XML Internal error || url,wiki.quadrantsec.com/bin/view/Main/5001258 || url,support.citrix.com/article/CTX123875 5001259 || [CITRIX] Netscaler - AppFw XML DDoS Connect to Server Failed || url,wiki.quadrantsec.com/bin/view/Main/5001259 || url,support.citrix.com/article/CTX123875 5001260 || [CITRIX] Netscaler - AppFw XML DDoS Interaction socket open Failed || url,wiki.quadrantsec.com/bin/view/Main/5001260 || url,support.citrix.com/article/CTX123875 5001261 || [CITRIX] Netscaler - AppFw XML DDoS Invalid Config File || url,wiki.quadrantsec.com/bin/view/Main/5001261 || url,support.citrix.com/article/CTX123875 5001262 || [CITRIX] Netscaler - AppFw XML DDoS No Folder Installation Path || url,wiki.quadrantsec.com/bin/view/Main/5001262 || url,support.citrix.com/article/CTX123875 5001263 || [CITRIX] Netscaler - AppFw XML DDoS Failure to Open Config File || url,wiki.quadrantsec.com/bin/view/Main/5001263 || url,support.citrix.com/article/CTX123875 5001264 || [CITRIX] Netscaler - Denial of Service Error || url,wiki.quadrantsec.com/bin/view/Main/5001264 || url,support.citrix.com/article/CTX123875 5001265 || [CITRIX] Netscaler - Environment variable QTHOME not set || url,wiki.quadrantsec.com/bin/view/Main/5001265 || url,support.citrix.com/article/CTX123875 5001266 || [CITRIX] Netscaler - Problems inserting a namespace into the hash table || url,wiki.quadrantsec.com/bin/view/Main/5001266 || url,support.citrix.com/article/CTX123875 5001267 || [CITRIX] Netscaler - Problems getting the key of a namespace from the hash table || url,wiki.quadrantsec.com/bin/view/Main/5001267 || url,support.citrix.com/article/CTX123875 5001268 || [CITRIX] Netscaler - Unable to initialize XML tokenizer || url,wiki.quadrantsec.com/bin/view/Main/5001268 || url,support.citrix.com/article/CTX123875 5001269 || [CITRIX] Netscaler - Unable to open the file || url,wiki.quadrantsec.com/bin/view/Main/5001269 || url,support.citrix.com/article/CTX123875 5001270 || [CITRIX] Netscaler - AppFw XML Internal State Invalid || url,wiki.quadrantsec.com/bin/view/Main/5001270 || url,support.citrix.com/article/CTX123875 5001271 || [CITRIX] Netscaler - Invalid XPath || url,wiki.quadrantsec.com/bin/view/Main/5001271 || url,support.citrix.com/article/CTX123875 5001272 || [CITRIX] Netscaler - AppFw XML Low memory || url,wiki.quadrantsec.com/bin/view/Main/5001272 || url,support.citrix.com/article/CTX123875 5001273 || [CITRIX] Netscaler - Malformed address || url,wiki.quadrantsec.com/bin/view/Main/5001273 || url,support.citrix.com/article/CTX123875 5001274 || [CITRIX] Netscaler - Message is not a well-formed XML || url,wiki.quadrantsec.com/bin/view/Main/5001274 || url,support.citrix.com/article/CTX123875 5001275 || [CITRIX] Netscaler - The message having content-type as 'Multipart/Related' and not having a boundary is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001275 || url,support.citrix.com/article/CTX123875 5001276 || [CITRIX] Netscaler - NS-XML APPFW supports SwA and MTOM SOAP attachments || url,wiki.quadrantsec.com/bin/view/Main/5001276 || url,support.citrix.com/article/CTX123875 5001277 || [CITRIX] Netscaler - Problems registering callbacks for operations || url,wiki.quadrantsec.com/bin/view/Main/5001277 || url,support.citrix.com/article/CTX123875 5001278 || [CITRIX] Netscaler - Prefix length exceeded || url,wiki.quadrantsec.com/bin/view/Main/5001278 || url,support.citrix.com/article/CTX123875 5001279 || [CITRIX] Netscaler - AppFw XML Read Failure || url,wiki.quadrantsec.com/bin/view/Main/5001279 || url,support.citrix.com/article/CTX123875 5001280 || [CITRIX] Netscaler - Message contains SOAP Fault || url,wiki.quadrantsec.com/bin/view/Main/5001280 || url,support.citrix.com/article/CTX123875 5001281 || [CITRIX] Netscaler - Problems during pop of the node out of the XML stream || url,wiki.quadrantsec.com/bin/view/Main/5001281 || url,support.citrix.com/article/CTX123875 5001282 || [CITRIX] Netscaler - Problems during push of the node into the XML stream || url,wiki.quadrantsec.com/bin/view/Main/5001282 || url,support.citrix.com/article/CTX123875 5001283 || [CITRIX] Netscaler - Port in address is greater than 65535 || url,wiki.quadrantsec.com/bin/view/Main/5001283 || url,support.citrix.com/article/CTX123875 5001284 || [CITRIX] Netscaler - Unsupported protocol || url,wiki.quadrantsec.com/bin/view/Main/5001284 || url,support.citrix.com/article/CTX123875 5001285 || [CITRIX] Netscaler - AppFw XML Validation Failed || url,wiki.quadrantsec.com/bin/view/Main/5001285 || url,support.citrix.com/article/CTX123875 5001286 || [CITRIX] Netscaler - AppFw XML Context is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001286 || url,support.citrix.com/article/CTX123875 5001287 || [CITRIX] Netscaler - Context user state is NULL - Internal error || url,wiki.quadrantsec.com/bin/view/Main/5001287 || url,support.citrix.com/article/CTX123875 5001288 || [CITRIX] Netscaler - Message config struct is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001288 || url,support.citrix.com/article/CTX123875 5001289 || [CITRIX] Netscaler - Dumps the SOAP Fault contents to Audit log || url,wiki.quadrantsec.com/bin/view/Main/5001289 || url,support.citrix.com/article/CTX123875 5001290 || [CITRIX] Netscaler - AppFw SQL Injection violation in XML || url,wiki.quadrantsec.com/bin/view/Main/5001290 || url,support.citrix.com/article/CTX123875 5001291 || [CITRIX] Netscaler - Cannot instantiate abstract element || url,wiki.quadrantsec.com/bin/view/Main/5001291 || url,support.citrix.com/article/CTX123875 5001292 || [CITRIX] Netscaler - Cannot instantiate abstract type || url,wiki.quadrantsec.com/bin/view/Main/5001292 || url,support.citrix.com/article/CTX123875 5001293 || [CITRIX] Netscaler - Additional soap header present in soap message || url,wiki.quadrantsec.com/bin/view/Main/5001293 || url,support.citrix.com/article/CTX123875 5001294 || [CITRIX] Netscaler - Attribute appears more than once in element || url,wiki.quadrantsec.com/bin/view/Main/5001294 || url,support.citrix.com/article/CTX123875 5001295 || [CITRIX] Netscaler - Required attribute missing in element || url,wiki.quadrantsec.com/bin/view/Main/5001295 || url,support.citrix.com/article/CTX123875 5001296 || [CITRIX] Netscaler - Compiled WSDL file is corrupt || url,wiki.quadrantsec.com/bin/view/Main/5001296 || url,support.citrix.com/article/CTX123875 5001297 || [CITRIX] Netscaler - Content model of element not satisfied || url,wiki.quadrantsec.com/bin/view/Main/5001297 || url,support.citrix.com/article/CTX123875 5001298 || [CITRIX] Netscaler - Compiled WSDL file is corrupt || url,wiki.quadrantsec.com/bin/view/Main/5001298 || url,support.citrix.com/article/CTX123875 5001299 || [CITRIX] Netscaler - Error compiling the schema || url,wiki.quadrantsec.com/bin/view/Main/5001299 || url,support.citrix.com/article/CTX123875 5001300 || [CITRIX] Netscaler - Initialization of the data type engine failed || url,wiki.quadrantsec.com/bin/view/Main/5001300 || url,support.citrix.com/article/CTX123875 5001301 || [CITRIX] Netscaler - Internal corruption of WSDL in-memory structure || url,wiki.quadrantsec.com/bin/view/Main/5001301 || url,support.citrix.com/article/CTX123875 5001302 || [CITRIX] Netscaler - Attribute is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001302 || url,support.citrix.com/article/CTX123875 5001303 || [CITRIX] Netscaler - Invalid configuration for soap validation || url,wiki.quadrantsec.com/bin/view/Main/5001303 || url,support.citrix.com/article/CTX123875 5001304 || [CITRIX] Netscaler - Not able to open compiled WSDL || url,wiki.quadrantsec.com/bin/view/Main/5001304 || url,support.citrix.com/article/CTX123875 5001305 || [CITRIX] Netscaler - Element has invalid content model || url,wiki.quadrantsec.com/bin/view/Main/5001305 || url,support.citrix.com/article/CTX123875 5001306 || [CITRIX] Netscaler - Data type is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001306 || url,support.citrix.com/article/CTX123875 5001307 || [CITRIX] Netscaler - Invalid element || url,wiki.quadrantsec.com/bin/view/Main/5001307 || url,support.citrix.com/article/CTX123875 5001308 || [CITRIX] Netscaler - Not able to open the file || url,wiki.quadrantsec.com/bin/view/Main/5001308 || url,support.citrix.com/article/CTX123875 5001309 || [CITRIX] Netscaler - Did not get expected type for element || url,wiki.quadrantsec.com/bin/view/Main/5001309 || url,support.citrix.com/article/CTX123875 5001310 || [CITRIX] Netscaler - Unable to load validation engine || url,wiki.quadrantsec.com/bin/view/Main/5001310 || url,support.citrix.com/article/CTX123875 5001311 || [CITRIX] Netscaler - AppFw XML Validation Max Error || url,wiki.quadrantsec.com/bin/view/Main/5001311 || url,support.citrix.com/article/CTX123875 5001312 || [CITRIX] Netscaler - Service URL is not present or NULL || url,wiki.quadrantsec.com/bin/view/Main/5001312 || url,support.citrix.com/article/CTX123875 5001313 || [CITRIX] Netscaler - Feature not supported || url,wiki.quadrantsec.com/bin/view/Main/5001313 || url,support.citrix.com/article/CTX123875 5001314 || [CITRIX] Netscaler - Trying to pop from an empty stack || url,wiki.quadrantsec.com/bin/view/Main/5001314 || url,support.citrix.com/article/CTX123875 5001315 || [CITRIX] Netscaler - Level of recursion more than maximum allowed depth || url,wiki.quadrantsec.com/bin/view/Main/5001315 || url,support.citrix.com/article/CTX123875 5001316 || [CITRIX] Netscaler - Both SOAP Body and SOAP Header are empty in the SOAP request || url,wiki.quadrantsec.com/bin/view/Main/5001316 || url,support.citrix.com/article/CTX123875 5001317 || [CITRIX] Netscaler - Soap Body structure check failed || url,wiki.quadrantsec.com/bin/view/Main/5001317 || url,support.citrix.com/article/CTX123875 5001318 || [CITRIX] Netscaler - Soap Envelope structure check failed || url,wiki.quadrantsec.com/bin/view/Main/5001318 || url,support.citrix.com/article/CTX123875 5001319 || [CITRIX] Netscaler - Soap Header structure check failed || url,wiki.quadrantsec.com/bin/view/Main/5001319 || url,support.citrix.com/article/CTX123875 5001320 || [CITRIX] Netscaler - Prefix is unbounded || url,wiki.quadrantsec.com/bin/view/Main/5001320 || url,support.citrix.com/article/CTX123875 5001321 || [CITRIX] Netscaler - Element cannot be nil || url,wiki.quadrantsec.com/bin/view/Main/5001321 || url,support.citrix.com/article/CTX123875 5001322 || [CITRIX] Netscaler - Element is nil || url,wiki.quadrantsec.com/bin/view/Main/5001322 || url,support.citrix.com/article/CTX123875 5001323 || [CITRIX] Netscaler - Invalid data type || url,wiki.quadrantsec.com/bin/view/Main/5001323 || url,support.citrix.com/article/CTX123875 5001324 || [CITRIX] Netscaler - Element cannot appear at this location || url,wiki.quadrantsec.com/bin/view/Main/5001324 || url,support.citrix.com/article/CTX123875 5001325 || [CITRIX] Netscaler - Facet mismatch || url,wiki.quadrantsec.com/bin/view/Main/5001325 || url,support.citrix.com/article/CTX123875 5001326 || [CITRIX] Netscaler - AppFw XML Validator Load Failed || url,wiki.quadrantsec.com/bin/view/Main/5001326 || url,support.citrix.com/article/CTX123875 5001327 || [CITRIX] Netscaler - Attribute has invalid || url,wiki.quadrantsec.com/bin/view/Main/5001327 || url,support.citrix.com/article/CTX123875 5001328 || [CITRIX] Netscaler - Invalid schema data type || url,wiki.quadrantsec.com/bin/view/Main/5001328 || url,support.citrix.com/article/CTX123875 5001329 || [CITRIX] Netscaler - Invalid schema node type || url,wiki.quadrantsec.com/bin/view/Main/5001329 || url,support.citrix.com/article/CTX123875 5001330 || [CITRIX] Netscaler - Value does not match FIXED constraint || url,wiki.quadrantsec.com/bin/view/Main/5001330 || url,support.citrix.com/article/CTX123875 5001331 || [CITRIX] Netscaler - List length is greater than max allowed || url,wiki.quadrantsec.com/bin/view/Main/5001331 || url,support.citrix.com/article/CTX123875 5001332 || [CITRIX] Netscaler - List length is invalid || url,wiki.quadrantsec.com/bin/view/Main/5001332 || url,support.citrix.com/article/CTX123875 5001333 || [CITRIX] Netscaler - List length is lesser than min allowed || url,wiki.quadrantsec.com/bin/view/Main/5001333 || url,support.citrix.com/article/CTX123875 5001334 || [CITRIX] Netscaler - AppFw XML Validation Maximum Load Error || url,wiki.quadrantsec.com/bin/view/Main/5001334 || url,support.citrix.com/article/CTX123875 5001335 || [CITRIX] Netscaler - Missing require attribute in element || url,wiki.quadrantsec.com/bin/view/Main/5001335 || url,support.citrix.com/article/CTX123875 5001336 || [CITRIX] Netscaler - Error code in the compiled Schema is being ignored || url,wiki.quadrantsec.com/bin/view/Main/5001336 || url,support.citrix.com/article/CTX123875 5001337 || [CITRIX] Netscaler - Error code in the compiled WSDL is being ignored || url,wiki.quadrantsec.com/bin/view/Main/5001337 || url,support.citrix.com/article/CTX123875 5001338 || [CITRIX] Netscaler - AppFw XML WSI Internal Context NULL || url,wiki.quadrantsec.com/bin/view/Main/5001338 || url,support.citrix.com/article/CTX123875 5001339 || [CITRIX] Netscaler - AppFw XML WSI HTTP Error || url,wiki.quadrantsec.com/bin/view/Main/5001339 || url,support.citrix.com/article/CTX123875 5001340 || [CITRIX] Netscaler - Resource id of deployment is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001340 || url,support.citrix.com/article/CTX123875 5001341 || [CITRIX] Netscaler - Port URL is NULL || url,wiki.quadrantsec.com/bin/view/Main/5001341 || url,support.citrix.com/article/CTX123875 5001342 || [CITRIX] Netscaler - Deployed resource is not WSDL || url,wiki.quadrantsec.com/bin/view/Main/5001342 || url,support.citrix.com/article/CTX123875 5001343 || [CITRIX] Netscaler - AppFw XML WSI List Null || url,wiki.quadrantsec.com/bin/view/Main/5001343 || url,support.citrix.com/article/CTX123875 5001344 || [CITRIX] Netscaler - Error during initialization || url,wiki.quadrantsec.com/bin/view/Main/5001344 || url,support.citrix.com/article/CTX123875 5001345 || [CITRIX] Netscaler - AppFw XML XSDLOAD Failed during Compile || url,wiki.quadrantsec.com/bin/view/Main/5001345 || url,support.citrix.com/article/CTX123875 5001346 || [CITRIX] Netscaler - No XSModel to print || url,wiki.quadrantsec.com/bin/view/Main/5001346 || url,support.citrix.com/article/CTX123875 5001347 || [CITRIX] Netscaler - Error during parsing || url,wiki.quadrantsec.com/bin/view/Main/5001347 || url,support.citrix.com/article/CTX123875 5001348 || [CITRIX] Netscaler - Unexpected exception during parsing || url,wiki.quadrantsec.com/bin/view/Main/5001348 || url,support.citrix.com/article/CTX123875 5001349 || [CITRIX] Netscaler - AppFw XSS violation in XML || url,wiki.quadrantsec.com/bin/view/Main/5001349 || url,support.citrix.com/article/CTX123875 5001350 || [CITRIX] Netscaler - AppFw XSS violation || url,wiki.quadrantsec.com/bin/view/Main/5001350 || url,support.citrix.com/article/CTX123875 5001351 || [CITRIX] Netscaler - URL Transformation in a response body || url,wiki.quadrantsec.com/bin/view/Main/5001351 || url,support.citrix.com/article/CTX123875 5001352 || [CITRIX] Netscaler - Cache flush starts || url,wiki.quadrantsec.com/bin/view/Main/5001352 || url,support.citrix.com/article/CTX123875 5001353 || [CITRIX] Netscaler - Cache flush is complete || url,wiki.quadrantsec.com/bin/view/Main/5001353 || url,support.citrix.com/article/CTX123875 5001354 || [CITRIX] Netscaler - Severity ERROR - client security check for a SSLVPN session failed || url,wiki.quadrantsec.com/bin/view/Main/5001354 || url,support.citrix.com/article/CTX123875 5001355 || [CITRIX] Netscaler - Severity ERROR when client security expression evaluates to False || url,wiki.quadrantsec.com/bin/view/Main/5001355 || url,support.citrix.com/article/CTX123875 5001356 || [CITRIX] Netscaler - Logs the NSCLI/GUI command executed in NetScaler || url,wiki.quadrantsec.com/bin/view/Main/5001356 || url,support.citrix.com/article/CTX123875 5001357 || [CITRIX] Netscaler - Completed reading the configuration from ns.conf file || url,wiki.quadrantsec.com/bin/view/Main/5001357 || url,support.citrix.com/article/CTX123875 5001358 || [CITRIX] Netscaler - Read the configuration from ns.conf file || url,wiki.quadrantsec.com/bin/view/Main/5001358 || url,support.citrix.com/article/CTX123875 5001359 || [CITRIX] Netscaler - Server side and a client side TCP connection is delinked || url,wiki.quadrantsec.com/bin/view/Main/5001359 || url,support.citrix.com/article/CTX123875 5001360 || [CITRIX] Netscaler - TCP connection terminated || url,wiki.quadrantsec.com/bin/view/Main/5001360 || url,support.citrix.com/article/CTX123875 5001361 || [CITRIX] Netscaler - The input URL before rewriting || url,wiki.quadrantsec.com/bin/view/Main/5001361 || url,support.citrix.com/article/CTX123875 5001362 || [CITRIX] Netscaler - The matched URL || url,wiki.quadrantsec.com/bin/view/Main/5001362 || url,support.citrix.com/article/CTX123875 5001363 || [CITRIX] Netscaler - PCRE Error || url,wiki.quadrantsec.com/bin/view/Main/5001363 || url,support.citrix.com/article/CTX123875 5001364 || [CITRIX] Netscaler - The rewritten URL || url,wiki.quadrantsec.com/bin/view/Main/5001364 || url,support.citrix.com/article/CTX123875 5001365 || [CITRIX] Netscaler - Device is down || url,wiki.quadrantsec.com/bin/view/Main/5001365 || url,support.citrix.com/article/CTX123875 5001366 || [CITRIX] Netscaler - Device is out of service || url,wiki.quadrantsec.com/bin/view/Main/5001366 || url,support.citrix.com/article/CTX123875 5001367 || [CITRIX] Netscaler - Device is up || url,wiki.quadrantsec.com/bin/view/Main/5001367 || url,support.citrix.com/article/CTX123875 5001368 || [CITRIX] Netscaler - After a user logs in the group for the user has been extracted || url,wiki.quadrantsec.com/bin/view/Main/5001368 || url,support.citrix.com/article/CTX123875 5001369 || [CITRIX] Netscaler - URL Transformation profile invoked || url,wiki.quadrantsec.com/bin/view/Main/5001369 || url,support.citrix.com/article/CTX123875 5001370 || [CITRIX] Netscaler - Bad memory is freed (internal error) || url,wiki.quadrantsec.com/bin/view/Main/5001370 || url,support.citrix.com/article/CTX123875 5001371 || [CITRIX] Netscaler - Duplicate memory free occurs (internal error) || url,wiki.quadrantsec.com/bin/view/Main/5001371 || url,support.citrix.com/article/CTX123875 5001372 || [CITRIX] Netscaler - Memory is freed from a wrong pool (internal error) || url,wiki.quadrantsec.com/bin/view/Main/5001372 || url,support.citrix.com/article/CTX123875 5001373 || [CITRIX] Netscaler - A SSLVPN session receives a HTTP request || url,wiki.quadrantsec.com/bin/view/Main/5001373 || url,support.citrix.com/article/CTX123875 5001374 || [CITRIX] Netscaler - A http resource access is denied by policy engine || url,wiki.quadrantsec.com/bin/view/Main/5001374 || url,support.citrix.com/article/CTX123875 5001375 || [CITRIX] Netscaler - ICA application has terminated || url,wiki.quadrantsec.com/bin/view/Main/5001375 || url,support.citrix.com/article/CTX123875 5001376 || [CITRIX] Netscaler - ICA application launch has started || url,wiki.quadrantsec.com/bin/view/Main/5001376 || url,support.citrix.com/article/CTX123875 5001377 || [CITRIX] Netscaler - SSLVPN license limit reached || url,wiki.quadrantsec.com/bin/view/Main/5001377 || url,support.citrix.com/article/CTX123875 5001378 || [CITRIX] Netscaler - SSLVPN login succeeds || url,wiki.quadrantsec.com/bin/view/Main/5001378 || url,support.citrix.com/article/CTX123875 5001379 || [CITRIX] Netscaler - AAA module failed to login the user - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001379 || url,support.citrix.com/article/CTX123875 5001380 || [CITRIX] Netscaler - SSLVPN session logs out. || url,wiki.quadrantsec.com/bin/view/Main/5001380 || url,support.citrix.com/article/CTX123875 5001381 || [CITRIX] Netscaler - Monitor bound to the service is down || url,wiki.quadrantsec.com/bin/view/Main/5001381 || url,support.citrix.com/article/CTX123875 5001382 || [CITRIX] Netscaler - Monitor bound to the service has hit threshold limit || url,wiki.quadrantsec.com/bin/view/Main/5001382 || url,support.citrix.com/article/CTX123875 5001383 || [CITRIX] Netscaler - Monitor bound to the service is up || url,wiki.quadrantsec.com/bin/view/Main/5001383 || url,support.citrix.com/article/CTX123875 5001384 || [CITRIX] Netscaler - Network interface is in hung state || url,wiki.quadrantsec.com/bin/view/Main/5001384 || url,support.citrix.com/article/CTX123875 5001385 || [CITRIX] Netscaler - Interface's throughput is less than the min required || url,wiki.quadrantsec.com/bin/view/Main/5001385 || url,support.citrix.com/article/CTX123875 5001386 || [CITRIX] Netscaler - Interface is bound or unbound from a channel || url,wiki.quadrantsec.com/bin/view/Main/5001386 || url,support.citrix.com/article/CTX123875 5001387 || [CITRIX] Netscaler - Interface's throughput is equal or greater than the min required || url,wiki.quadrantsec.com/bin/view/Main/5001387 || url,support.citrix.com/article/CTX123875 5001388 || [CITRIX] Netscaler - Network interface is reset || url,wiki.quadrantsec.com/bin/view/Main/5001388 || url,support.citrix.com/article/CTX123875 5001389 || [CITRIX] Netscaler - Network interface is started || url,wiki.quadrantsec.com/bin/view/Main/5001389 || url,support.citrix.com/article/CTX123875 5001390 || [CITRIX] Netscaler - Network interface is stopped || url,wiki.quadrantsec.com/bin/view/Main/5001390 || url,support.citrix.com/article/CTX123875 5001391 || [CITRIX] Netscaler - A non-http resource access is denied by policy engine || url,wiki.quadrantsec.com/bin/view/Main/5001391 || url,support.citrix.com/article/CTX123875 5001392 || [CITRIX] Netscaler - Server side and a client side TCP connection is delinked || url,wiki.quadrantsec.com/bin/view/Main/5001392 || url,support.citrix.com/article/CTX123875 5001393 || [CITRIX] Netscaler - Process with PID is being restarted || url,wiki.quadrantsec.com/bin/view/Main/5001393 || url,support.citrix.com/article/CTX123875 5001394 || [CITRIX] Netscaler - Process with pid has reached maximum number of restarts || url,wiki.quadrantsec.com/bin/view/Main/5001394 || url,support.citrix.com/article/CTX123875 5001395 || [CITRIX] Netscaler - URL Transformation regex error || url,wiki.quadrantsec.com/bin/view/Main/5001395 || url,support.citrix.com/article/CTX123875 5001396 || [CITRIX] Netscaler - Pitboss watch is added or deleted on a process with the process id PID || url,wiki.quadrantsec.com/bin/view/Main/5001396 || url,support.citrix.com/article/CTX123875 5001397 || [CITRIX] Netscaler - HA propagation fails || url,wiki.quadrantsec.com/bin/view/Main/5001397 || url,support.citrix.com/article/CTX123875 5001398 || [CITRIX] Netscaler - HA propagation is successful || url,wiki.quadrantsec.com/bin/view/Main/5001398 || url,support.citrix.com/article/CTX123875 5001399 || [CITRIX] Netscaler - URL Transformation in a request header || url,wiki.quadrantsec.com/bin/view/Main/5001399 || url,support.citrix.com/article/CTX123875 5001400 || [CITRIX] Netscaler - URL Transformation parsing error || url,wiki.quadrantsec.com/bin/view/Main/5001400 || url,support.citrix.com/article/CTX123875 5001401 || [CITRIX] Netscaler - URL Transformation error in a request header || url,wiki.quadrantsec.com/bin/view/Main/5001401 || url,support.citrix.com/article/CTX123875 5001402 || [CITRIX] Netscaler - URL Transformation in a response header || url,wiki.quadrantsec.com/bin/view/Main/5001402 || url,support.citrix.com/article/CTX123875 5001403 || [CITRIX] Netscaler - Route is down || url,wiki.quadrantsec.com/bin/view/Main/5001403 || url,support.citrix.com/article/CTX123875 5001404 || [CITRIX] Netscaler - Route is up || url,wiki.quadrantsec.com/bin/view/Main/5001404 || url,support.citrix.com/article/CTX123875 5001405 || [CITRIX] Netscaler - Route Advertised || url,wiki.quadrantsec.com/bin/view/Main/5001405 || url,support.citrix.com/article/CTX123875 5001406 || [CITRIX] Netscaler - HA state change || url,wiki.quadrantsec.com/bin/view/Main/5001406 || url,support.citrix.com/article/CTX123875 5001407 || [CITRIX] Netscaler - Route Relearnt || url,wiki.quadrantsec.com/bin/view/Main/5001407 || url,support.citrix.com/article/CTX123875 5001408 || [CITRIX] Netscaler - Route Withdrawn || url,wiki.quadrantsec.com/bin/view/Main/5001408 || url,support.citrix.com/article/CTX123875 5001409 || [CITRIX] Netscaler - SSL Certificate Expiry Imminent || url,wiki.quadrantsec.com/bin/view/Main/5001409 || url,support.citrix.com/article/CTX123875 5001410 || [CITRIX] Netscaler - SSL CRL Update Failure || url,wiki.quadrantsec.com/bin/view/Main/5001410 || url,support.citrix.com/article/CTX123875 5001411 || [CITRIX] Netscaler - SSL CRL Update Success || url,wiki.quadrantsec.com/bin/view/Main/5001411 || url,support.citrix.com/article/CTX123875 5001412 || [CITRIX] Netscaler - SSL Handshake Failure || url,wiki.quadrantsec.com/bin/view/Main/5001412 || url,support.citrix.com/article/CTX123875 5001413 || [CITRIX] Netscaler - SSL Client Certificate IssueName || url,wiki.quadrantsec.com/bin/view/Main/5001413 || url,support.citrix.com/article/CTX123875 5001414 || [CITRIX] Netscaler - SSL Client Certificate SubjectName || url,wiki.quadrantsec.com/bin/view/Main/5001414 || url,support.citrix.com/article/CTX123875 5001415 || [CITRIX] Netscaler - SSL Handshake Success || url,wiki.quadrantsec.com/bin/view/Main/5001415 || url,support.citrix.com/article/CTX123875 5001416 || [CITRIX] Netscaler - CPU started || url,wiki.quadrantsec.com/bin/view/Main/5001416 || url,support.citrix.com/article/CTX123875 5001417 || [CITRIX] Netscaler - Save configuration started || url,wiki.quadrantsec.com/bin/view/Main/5001417 || url,support.citrix.com/article/CTX123875 5001418 || [CITRIX] Netscaler - System Started || url,wiki.quadrantsec.com/bin/view/Main/5001418 || url,support.citrix.com/article/CTX123875 5001419 || [CITRIX] Netscaler - HA State has changed || url,wiki.quadrantsec.com/bin/view/Main/5001419 || url,support.citrix.com/article/CTX123875 5001420 || [CITRIX] Netscaler - SSLVPN and the group for the user has been extracted || url,wiki.quadrantsec.com/bin/view/Main/5001420 || url,support.citrix.com/article/CTX123875 5001421 || [CITRIX] Netscaler - Save configuration has stopped || url,wiki.quadrantsec.com/bin/view/Main/5001421 || url,support.citrix.com/article/CTX123875 5001422 || [CITRIX] Netscaler - System stopped || url,wiki.quadrantsec.com/bin/view/Main/5001422 || url,support.citrix.com/article/CTX123875 5001423 || [CITRIX] Netscaler - Logged TCP connection related information || url,wiki.quadrantsec.com/bin/view/Main/5001423 || url,support.citrix.com/article/CTX123875 5001424 || [CITRIX] Netscaler - An SSLVPN connection timed out || url,wiki.quadrantsec.com/bin/view/Main/5001424 || url,support.citrix.com/article/CTX123875 5001425 || [CITRIX] Netscaler - UDP flow || url,wiki.quadrantsec.com/bin/view/Main/5001425 || url,support.citrix.com/article/CTX123875 5001426 || [CITRIX] Netscaler - Unknown Error || url,wiki.quadrantsec.com/bin/view/Main/5001426 || url,support.citrix.com/article/CTX123875 5001427 || [CITRIX] Netscaler - RHI state of VIP changes to down || url,wiki.quadrantsec.com/bin/view/Main/5001427 || url,support.citrix.com/article/CTX123875 5001428 || [CITRIX] Netscaler - RHI state of VIP changes to up || url,wiki.quadrantsec.com/bin/view/Main/5001428 || url,support.citrix.com/article/CTX123875 5001429 || [CITRIX] Netscaler - VRID changes state to backup || url,wiki.quadrantsec.com/bin/view/Main/5001429 || url,support.citrix.com/article/CTX123875 5001430 || [CITRIX] Netscaler - VRID changes state to backup || url,wiki.quadrantsec.com/bin/view/Main/5001430 || url,support.citrix.com/article/CTX123875 5001431 || [CITRIX] Netscaler - VRID changes state to INIT || url,wiki.quadrantsec.com/bin/view/Main/5001431 || url,support.citrix.com/article/CTX123875 5001432 || [CITRIX] Netscaler - VRID changes state to master || url,wiki.quadrantsec.com/bin/view/Main/5001432 || url,support.citrix.com/article/CTX123875 5001435 || [DIGITALPERSONA] User login || url,wiki.quadrantsec.com/bin/view/Main/5001435 5001436 || [DIGITALPERSONA] OTS Started || url,wiki.quadrantsec.com/bin/view/Main/5001436 5001437 || [DIGITALPERSONA] Fingerprint reader connected || url,wiki.quadrantsec.com/bin/view/Main/5001437 5001438 || [DIGITALPERSONA] Fingerprint reader disconnected || url,wiki.quadrantsec.com/bin/view/Main/5001438 5001439 || [DIGITALPERSONA] One-to-one fingerprint match failed [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001439 5001440 || [DIGITALPERSONA] System unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001440 5001441 || [DIGITALPERSONA] Kiosk Login || url,wiki.quadrantsec.com/bin/view/Main/5001441 5001442 || [DIGITALPERSONA] Logoff || url,wiki.quadrantsec.com/bin/view/Main/5001442 5001443 || [DIGITALPERSONA] Kiosk Logoff || url,wiki.quadrantsec.com/bin/view/Main/5001443 5001444 || [DIGITALPERSONA] System locked || url,wiki.quadrantsec.com/bin/view/Main/5001444 5001445 || [DIGITALPERSONA] Kiosk locked || url,wiki.quadrantsec.com/bin/view/Main/5001445 5001446 || [DIGITALPERSONA] System unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001446 5001447 || [DIGITALPERSONA] Kiosk unlocked || url,wiki.quadrantsec.com/bin/view/Main/5001447 5001448 || [DIGITALPERSONA] Registered PIN || url,wiki.quadrantsec.com/bin/view/Main/5001448 5001449 || [DIGITALPERSONA] Changed PIN || url,wiki.quadrantsec.com/bin/view/Main/5001449 5001450 || [DIGITALPERSONA] FP used to unlocked smart card || url,wiki.quadrantsec.com/bin/view/Main/5001450 5001451 || [DIGITALPERSONA] Shared account problem || url,wiki.quadrantsec.com/bin/view/Main/5001451 5001452 || [DIGITALPERSONA] Shared account missing || url,wiki.quadrantsec.com/bin/view/Main/5001452 5001453 || [DIGITALPERSONA] OTS Stopped || url,wiki.quadrantsec.com/bin/view/Main/5001453 5001454 || [DIGITALPERSONA] Agent cannot start || url,wiki.quadrantsec.com/bin/view/Main/5001454 5001455 || [DIGITALPERSONA] Password changed canceled by user || url,wiki.quadrantsec.com/bin/view/Main/5001455 5001456 || [DIGITALPERSONA] Inital fillin was preformed || url,wiki.quadrantsec.com/bin/view/Main/5001456 5001457 || [DIGITALPERSONA] Fillin was preformed || url,wiki.quadrantsec.com/bin/view/Main/5001457 5001458 || [DIGITALPERSONA] Account data could not be modified || url,wiki.quadrantsec.com/bin/view/Main/5001458 5001459 || [DIGITALPERSONA] Account data successfully modified || url,wiki.quadrantsec.com/bin/view/Main/5001459 5001460 || [DIGITALPERSONA] CRC check failure || url,wiki.quadrantsec.com/bin/view/Main/5001460 5001461 || [DIGITALPERSONA] User added to Kiosk ID list || url,wiki.quadrantsec.com/bin/view/Main/5001461 5001462 || [DIGITALPERSONA] User deleted to Kiosk ID list || url,wiki.quadrantsec.com/bin/view/Main/5001462 5001463 || [DIGITALPERSONA] User pushed out of the User ID list || url,wiki.quadrantsec.com/bin/view/Main/5001463 5001464 || [DIGITALPERSONA] Kiosk ID list created || url,wiki.quadrantsec.com/bin/view/Main/5001464 5001465 || [DIGITALPERSONA] Kiosk ID list deleted || url,wiki.quadrantsec.com/bin/view/Main/5001465 5001466 || [DIGITALPERSONA] DPHost started || url,wiki.quadrantsec.com/bin/view/Main/5001466 5001467 || [DIGITALPERSONA] DPHost cannot started || url,wiki.quadrantsec.com/bin/view/Main/5001467 5001468 || [DIGITALPERSONA] Connection to server succeeded || url,wiki.quadrantsec.com/bin/view/Main/5001468 5001469 || [DIGITALPERSONA] Connection to server failed || url,wiki.quadrantsec.com/bin/view/Main/5001469 5001470 || [DIGITALPERSONA] Server busy || url,wiki.quadrantsec.com/bin/view/Main/5001470 5001471 || [DIGITALPERSONA] One-to-many matched failed || url,wiki.quadrantsec.com/bin/view/Main/5001471 5001472 || [DIGITALPERSONA] Account locked out || url,wiki.quadrantsec.com/bin/view/Main/5001472 5001473 || [DIGITALPERSONA] License quota exceeded || url,wiki.quadrantsec.com/bin/view/Main/5001473 5001474 || [DIGITALPERSONA] License quota near limit || url,wiki.quadrantsec.com/bin/view/Main/5001474 5001475 || [WINDOWS-AUTH] Group account changed || url,wiki.quadrantsec.com/bin/view/Main/5001475 5001476 || [CISCO-IOS] Unsupported Hardware Module || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab 5001477 || [CISCO-IOS] IP Packet recieved to short || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb 5001478 || [CISCO-IOS] IP Packet with probable bad checksum Dropped || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL 5001479 || [CISCO-IOS] NetFlow addressable memory almost full || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a 5001480 || [CISCO-IOS] IOS Keepalive Loop Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b 5001481 || [CISCO-IOS] Possible IOS System Crash || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc 5001482 || [CISCO-IOS] Error in Layer 3 Forwarding ASIC [0/2] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC 5001483 || [CISCO-IOS] MAC/IP length inconsistencies || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1 5001484 || [CISCO-IOS] Invalid IP Checksum detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2 5001485 || [CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3 5001486 || [CISCO-IOS] PIM Hold Time Out of range || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5 5001487 || [CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6 5001488 || [CISCO-IOS] Internal Table Manager Parity Error || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7 5001489 || [CISCO-IOS] Short IP Packets Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8 5001490 || [CISCO-IOS] Creating Session to module/slot failed || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor 5001491 || [CISCO-IOS] Module Firmware error detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9 5001492 || [CISCO-IOS] Module Error Condition || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error 5001493 || [CISCO-IOS] Switch Port Error Detected [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue 5001494 || [CISCO-IOS] Unsupported SFP GBIC Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey 5001495 || [CISCO-IOS] TCAM Resource Exhaustion Detected || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM 5001496 || [CISCO-IOS] Supervisor Engine Parity Errors [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity 5001497 || [CISCO-IOS] Memory Parity Error [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller 5001498 || [CISCO-IOS] Linecard Endpoint Lost Sync || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141 5001499 || [CISCO-IOS] Misconfigured Boot Variables || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot 5001500 || [CISCO-IOS] CPU Monitor Message Time Outs [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor 5001501 || [CISCO-IOS] CPU Monitor Message Not Heard [0/3] || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor 5001502 || [CISCO-IOS] Invalid IDPROM Image || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom 5001503 || [CISCO-IOS] Switch Module Powered Off || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis 5001504 || [CISCO-IOS] ASIC Failed to Synchronize || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail 5001505 || [CISCO-IOS] Flow Mask Request Failed || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask 5001506 || [CISCO-IOS] IGMP join packet Flood || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop 5001507 || [CISCO-IOS] ASIC/Pinnacle Unrecoverable resources || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr 5001508 || [CISCO-IOS] Switching Bus Stalled || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec 5001509 || [CISCO-IOS] Switching Bus Recovered || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec 5001510 || [CISCO-IOS] SP-RP ping test failed, High Traffic || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp 5001511 || [CISCO-IOS] Sub-interface Limit Reached || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint 5001512 || [CISCO-IOS] Hash Bucket Collision || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash 5001513 || [CISCO-IOS] QoS Hardware Resources Exceeded || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg 5001514 || [CISCO-IOS] Port Channel MTU Mismatch || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle 5001515 || [CISCO-IOS] Port Channel Flow Control Mismatch || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port 5001516 || [CISCO-IOS] Route entries about to reach FIB capacity || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception 5001517 || [CISCO-IOS] Switch Port Data Path Error || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport 5001518 || [CISCO-IOS] Bad CRC on ASIC Line Card || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module 5001519 || [CISCO-IOS] Switch Detected Unknown Protocol || url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode 5001520 || [CISCO-IOS] Failed login || url,wiki.quadrantsec.com/bin/view/Main/5001520 5001521 || [CITRIX] Netscaler - AAA module failed to login the user || url,wiki.quadrantsec.com/bin/view/Main/5001521 || url,support.citrix.com/article/CTX123875 5001522 || [FTPD] Failed authentication || url,wiki.quadrantsec.com/bin/view/Main/5001522 5001523 || [OPENSSH] PAM Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001523 5001524 || [OPENSSH] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001524 5001525 || [OPENSSH] Authentication failure for root || url,wiki.quadrantsec.com/bin/view/Main/5001525 5001526 || [SU] SUDO authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001526 5001527 || [SU] FAILED su || url,wiki.quadrantsec.com/bin/view/Main/5001527 5001528 || [SYSLOG] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001528 5001529 || [VMWARE] User authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001529 5001530 || [VSFTPD] Login failed || url,wiki.quadrantsec.com/bin/view/Main/5001530 5001531 || [WINDOWS-AUTH] Login failure - Unknown username or bad password || url,wiki.quadrantsec.com/bin/view/Main/5001531 5001532 || [HUAWEI] USER_NOT_EXIST || url, http://www.huaweisymantec.com/en//download.do?id=658891 5001533 || [HUAWEI] ARP_DUPLICATE_IPADDR || url, huaweisymantec.com/en/download.do?id=658891 5001534 || [HUAWEI] DHCPC_LOG_NAK || url, huaweisymantec.com/en/download.do?id=658891 5001535 || [HUAWEI] DHCPC_LOG_REQIP_SUCCESS || url, huaweisymantec.com/en/download.do?id=658891 5001536 || [HUAWEI] DHCPC_LOG_REQIP_SUCCESS || url, huaweisymantec.com/en/download.do?id=658891 5001538 || [HUAWEI] FTPS - USERIN Login failed || url, huaweisymantec.com/en/download.do?id=658891 5001539 || [HUAWEI] FTPS - USEROUT Logout || url, huaweisymantec.com/en/download.do?id=658891 5001540 || [HUAWEI] FTPS - RECVDATA || url, huaweisymantec.com/en/download.do?id=658891 5001541 || [HUAWEI] FTPS - REQUEST || url, huaweisymantec.com/en/download.do?id=658891 5001542 || [HUAWEI] FTPS - SENDDATA || url, huaweisymantec.com/en/download.do?id=658891 5001543 || [HUAWEI] HTTPD - FAIL || url, huaweisymantec.com/en/download.do?id=658891 5001544 || [HUAWEI] HTTPD - OUT || url, huaweisymantec.com/en/download.do?id=658891 5001545 || [HUAWEI] HTTPD - PASS || url, huaweisymantec.com/en/download.do?id=658891 5001546 || [HUAWEI] ATCKDF - IP spoof attack || url, huaweisymantec.com/en/download.do?id=658891 5001547 || [HUAWEI] ATCKDF - Fraggle attack || url, huaweisymantec.com/en/download.do?id=658891 5001548 || [HUAWEI] ATCKDF - Smurf attack || url, huaweisymantec.com/en/download.do?id=658891 5001549 || [HUAWEI] ATCKDF - Land attack || url, huaweisymantec.com/en/download.do?id=658891 5001550 || [HUAWEI] ATCKDF - Time stamp attack || url, huaweisymantec.com/en/download.do?id=658891 5001551 || [HUAWEI] ATCKDF - Ip options attack || url, huaweisymantec.com/en/download.do?id=658891 5001552 || [HUAWEI] ATCKDF - Ip option source route attack || url, huaweisymantec.com/en/download.do?id=658891 5001553 || [HUAWEI] ATCKDF - ICMP flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001554 || [HUAWEI] ATCKDF - Redirect attack || url, huaweisymantec.com/en/download.do?id=658891 5001555 || [HUAWEI] ATCKDF - TCP flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001556 || [HUAWEI] ATCKDF - Winnuke attack || url, huaweisymantec.com/en/download.do?id=658891 5001557 || [HUAWEI] ATCKDF - Ping of death attack || url, huaweisymantec.com/en/download.do?id=658891 5001558 || [HUAWEI] ATCKDF - Tear drop attack || url, huaweisymantec.com/en/download.do?id=658891 5001559 || [HUAWEI] ATCKDF - Trace route attack || url, huaweisymantec.com/en/download.do?id=658891 5001560 || [HUAWEI] ATCKDF - Ip options route record attack || url, huaweisymantec.com/en/download.do?id=658891 5001561 || [HUAWEI] ATCKDF - Port scan attack || url, huaweisymantec.com/en/download.do?id=658891 5001562 || [HUAWEI] ATCKDF - Unreachable attack || url, huaweisymantec.com/en/download.do?id=658891 5001563 || [HUAWEI] ATCKDF - UDP flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001564 || [HUAWEI] ATCKDF - Syn flood attack || url, huaweisymantec.com/en/download.do?id=658891 5001565 || [HUAWEI] ATCKDF - Other-protocol attack || url, huaweisymantec.com/en/download.do?id=658891 5001566 || [HUAWEI] ATCKDF - Large ICMP attack || url, huaweisymantec.com/en/download.do?id=658891 5001567 || [HUAWEI] ATCKDF - IP Fragment attack || url, huaweisymantec.com/en/download.do?id=658891 5001568 || [HUAWEI] ATCKDF - Ftp Bounce attack || url, huaweisymantec.com/en/download.do?id=658891 5001569 || [HUAWEI] ATCKDF - Too much Half Con of SYN Flood || url, huaweisymantec.com/en/download.do?id=658891 5001570 || [HUAWEI] ATCKDF - Tcp flag attack || url, huaweisymantec.com/en/download.do?id=658891 5001571 || [HUAWEI] BIND - VPN bound IP address || url, huaweisymantec.com/en/download.do?id=658891 5001572 || [HUAWEI] BIND - VPN unbound IP address || url, huaweisymantec.com/en/download.do?id=658891 5001573 || [HUAWEI] BLACKLIST - VPN added to blacklist || url, huaweisymantec.com/en/download.do?id=658891 5001574 || [HUAWEI] BLACKLIST - VPN removed from blacklist || url, huaweisymantec.com/en/download.do?id=658891 5001575 || [HUAWEI] BLACKLIST - Blacklist cleared || url, huaweisymantec.com/en/download.do?id=658891 5001576 || [HUAWEI] SESSION || url, huaweisymantec.com/en/download.do?id=658891 5001577 || [HUAWEI] SHELL - LOGIN || url, huaweisymantec.com/en/download.do?id=658891 5001578 || [HUAWEI] SHELL - LOGIN_FAIL || url, huaweisymantec.com/en/download.do?id=658891 5001579 || [HUAWEI] SHELL - LOGOUT || url, huaweisymantec.com/en/download.do?id=658891 5001580 || [HUAWEI] SHELL - CMD || url, huaweisymantec.com/en/download.do?id=658891 5001581 || [HUAWEI] FanAbnormal || url, huaweisymantec.com/en/download.do?id=658891 5001582 || [HUAWEI] VentTemp2Hot || url, huaweisymantec.com/en/download.do?id=658891 5001583 || [HUAWEI] SSH - add_success || url, huaweisymantec.com/en/download.do?id=658891 5001584 || [HUAWEI] SSH - LOGIN_FAIL || url, huaweisymantec.com/en/download.do?id=658891 5001585 || [HUAWEI] SSH - LOGIN_FAIL_CHALLENGE_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001586 || [HUAWEI] SSH - LOGIN_FAIL_COOKIE_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001587 || [HUAWEI] SSH - LOGIN_FAIL_DISSCONNECT || url, huaweisymantec.com/en/download.do?id=658891 5001588 || [HUAWEI] SSH - LOGIN_FAIL_PWD_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001589 || [HUAWEI] SSH - LOGIN_FAIL_RETRY_OUT || url, huaweisymantec.com/en/download.do?id=658891 5001590 || [HUAWEI] SSH - LOGIN_FAIL_RSA_ERR || url, huaweisymantec.com/en/download.do?id=658891 5001591 || [HUAWEI] VRRP - LogAuthFailed || url, huaweisymantec.com/en/download.do?id=658891 5001592 || [HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5] || url, huaweisymantec.com/en/download.do?id=658891 5001593 || [CISCO-PIXASA] AAA user authentication Reject - Brute force [10/1] || url, wiki.quadrantsec.com/bin/view/Main/5001593 5001595 || [MONGODB] DBException causing immediate shutdown || url,www.mongodb.org 5001596 || [MONGODB] IOS_Base exception causing immediate shutdown || url,www.mongodb.org 5001597 || [MONGODB] Bad allocation exception causing immediate shutdown || url,www.mongodb.org 5001598 || [MONGODB] Shutting down || url,www.mongodb.org 5001599 || [MONGODB] Clock skew detected || url,www.mongodb.org 5001600 || [MONGODB] Large clock skew detected || url,www.mongodb.org 5001601 || [MONGODB] Clock skew exception - shutting down || url,www.mongodb.org 5001602 || [MONGODB] Terminating- Shutdown command received || url,www.mongodb.org 5001603 || [MONGODB] Handshake detected || url,www.mongodb.org 5001604 || [MONGODB] Auth: Could not find user || url,www.mongodb.org 5001605 || [MONGODB] Admin command received from client || url,www.mongodb.org 5001606 || [MONGODB] Attempting to sync || url,www.mongodb.org 5001607 || [MONGODB] Replauthenticate failed: Requires Admin permissions || url,www.mongodb.org 5001608 || [MONGODB] Cannot authenticate to master server || url,www.mongodb.org 5001609 || [MONGODB] replSet is going into maintenance mode || url,www.mongodb.org 5001610 || [MONGODB] replSet is leaving maintenance mode || url,www.mongodb.org 5001611 || [NETSCREEN] SYN Flood || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001612 || [NETSCREEN] Teardrop attack || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001613 || [NETSCREEN] IP spoofing || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001614 || [NETSCREEN] ICMP flood || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001615 || [NETSCREEN] SYN fragment || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001616 || [NETSCREEN] Unknown protocol || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001617 || [NETSCREEN] Bad IP option || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001618 || [NETSCREEN] SYN-ACK-ACK || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001619 || [NETSCREEN] Connection refused by the DNS || url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf 5001620 || [WINDOWS-AUTH] Attempted Password Reset || url,wiki.quadrantsec.com/bin/view/Main/5001620 5001621 || [SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001621 5001622 || [SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001622 5001623 || [SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001623 5001624 || [SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes] || url,wiki.quadrantsec.com/bin/view/Main/5001624 5001625 || [CISCO-IOS] Login Failed || url,wiki.quadrantsec.com/bin/view/Main/5001625 5001626 || [CISCO-IOS] High CPU usage detected || url,wiki.quadrantsec.com/bin/view/Main/5001626 5001627 || [FORTINET] Botnet traffic detected || url,wiki.quadrantsec.com/bin/view/Main/5001627 5001628 || [OPENSSH] Authentication failure - Brute force [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5001628 5001629 || [OPENSSH] Authentication failure - Brute force [20/5] || url,wiki.quadrantsec.com/bin/view/Main/5001629 5001630 || [OPENSSH] Authentication failure - Brute force [30/5] || url,wiki.quadrantsec.com/bin/view/Main/5001630 5001631 || [OPENSSH] Authentication failure - Brute force [40/5] || url,wiki.quadrantsec.com/bin/view/Main/5001631 5001632 || [OPENSSH] Authentication failure - Brute force [50/5] || url,wiki.quadrantsec.com/bin/view/Main/5001632 5001633 || [OPENSSH] Authentication failure - Brute force [100/5] || url,wiki.quadrantsec.com/bin/view/Main/5001633 5001634 || [OPENSSH] PAM Authentication failure - Brute force [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5001634 5001635 || [OPENSSH] PAM Authentication failure - Brute force [20/5] || url,wiki.quadrantsec.com/bin/view/Main/5001635 5001636 || [OPENSSH] PAM Authentication failure - Brute force [30/5] || url,wiki.quadrantsec.com/bin/view/Main/5001636 5001637 || [OPENSSH] PAM Authentication failure - Brute force [40/5] || url,wiki.quadrantsec.com/bin/view/Main/5001637 5001638 || [OPENSSH] PAM Authentication failure - Brute force [50/5] || url,wiki.quadrantsec.com/bin/view/Main/5001638 5001639 || [OPENSSH] PAM Authentication failure - Brute force [100/5] || url,wiki.quadrantsec.com/bin/view/Main/5001639 5001640 || [WINDOWS-MSSQL] Login Failure || url,wiki.quadrantsec.com/bin/view/Main/5001640 5001641 || [WINDOWS-MSSQL] Login Failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001641 5001642 || [JUNIPER] SSHD_LOGIN_ATTEMPTS_THRESHOLD - Brute Force || url,wiki.quadrantsec.com/bin/view/Main/5001642 5001643 || [JUNIPER] SSHD_LOGIN_FAILED_LIMIT - Brute Force || url,wiki.quadrantsec.com/bin/view/Main/5001643 5001644 || [JUNIPER] SSHD_LOGIN_FAILED || url,wiki.quadrantsec.com/bin/view/Main/5001644 5001645 || [JUNIPER] SSHD_LOGIN_FAILED - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001645 5001646 || [OPENSSH] Failed password - Brute force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5001646 5001647 || [OPENSSH] Failed password || url,wiki.quadrantsec.com/bin/view/Main/5001647 5001648 || [WINDOWS-AUTH] Authentication failed - User credentials mismatch [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5001648 5001649 || [WINDOWS-MISC] DHCP Scope is almost full || url,wiki.quadrantsec.com/bin/view/Main/5001649 5001650 || [WINDOWS-MISC] DHCP Scope if full. No IP addresses left || url,wiki.quadrantsec.com/bin/view/Main/5001650 5001651 || [OPENVPN] Authentication failure [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5001651 5001652 || [OPENVPN] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5001652 5001653 || [OPENVPN] Unencrypted VPN connection initiated || url,wiki.quadrantsec.com/bin/view/Main/5001653 5001654 || [CISCO-PIXASA] User authentication failed - Brute force [5/1] || url, wiki.quadrantsec.com/bin/view/Main/5001654 5001655 || [CISCO-ACS] Failed Login Attempt || url,wiki.quadrantsec.com/bin/view/Main/5001655 5001656 || [CISCO-ACS] Failed Login Attempt - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001656 5001657 || [WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password - Brute Force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001657 5001658 || [WINDOWS-AUTH] Auth failed - Bad Account/Incorrect Password || url,wiki.quadrantsec.com/bin/view/Main/5001658 5001659 || [WINDOWS-AUTH] User account does not exist || url,wiki.quadrantsec.com/bin/view/Main/5001659 5001660 || [WINDOWS-AUTH] Domain does not exist || url,wiki.quadrantsec.com/bin/view/Main/5001660 5001661 || [WINDOWS-AUTH] No matching newtork policy || url,wiki.quadrantsec.com/bin/view/Main/5001661 5001662 || [WINDOWS-AUTH] RADIUS Access-Request message is disabled || url,wiki.quadrantsec.com/bin/view/Main/5001662 5001663 || [WINDOWS-AUTH] User much change password || url,wiki.quadrantsec.com/bin/view/Main/5001663 5001664 || [WINDOWS-AUTH] Remote RADIUS did not process auth request || url,wiki.quadrantsec.com/bin/view/Main/5001664 5001665 || [WINDOWS-AUTH] Incomplete message. Signature not verified || url,wiki.quadrantsec.com/bin/view/Main/5001665 5001666 || [WINDOWS-AUTH] EAP type cannot be processed by server || url,wiki.quadrantsec.com/bin/view/Main/5001666 5001667 || [WINDOWS-AUTH] Error occured with EAP || url,wiki.quadrantsec.com/bin/view/Main/5001667 5001668 || [CISCO-IOS] Authentication Failure SSH || url,wiki.quadrantsec.com/bin/view/Main/5001668 5001669 || [CISCO-IOS] Illegal User SSH || url,wiki.quadrantsec.com/bin/view/Main/5001669 5001670 || [CISCO-IOS] Authentication Failure SSH - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001670 5001671 || [CISCO-IOS] FATAL - bad tty - login (no program) || url,wiki.quadrantsec.com/bin/view/Main/5001671 5001672 || [CISCO-IOS] Auth to privilege 15 failed || url,wiki.quadrantsec.com/bin/view/Main/5001672 5001673 || [CISCO-IOS] Multicast storm detected || url,wiki.quadrantsec.com/bin/view/Main/5001673 5001674 || [CISCO-IOS] Invalid ARP || url,wiki.quadrantsec.com/bin/view/Main/5001674 5001675 || [SYMANTEC-EMS] Authentication success || url,wiki.quadrantsec.com/bin/view/Main/5001675 5001676 || [SYMANTEC-EMS] Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5001676 5001677 || [SYMANTEC-EMS] Multiple authentication failures || url,wiki.quadrantsec.com/bin/view/Main/5001677 5001678 || [SYMANTEC-EMS] Authorization failure || url,wiki.quadrantsec.com/bin/view/Main/5001678 5001679 || [SYMANTEC-EMS] Multiple authorization failures || url,wiki.quadrantsec.com/bin/view/Main/5001679 5001680 || [SYMANTEC-EMS] Encrypted partition mount failure || url,wiki.quadrantsec.com/bin/view/Main/5001680 5001681 || [SYMANTEC-EMS] Error regrouping - expired key || url,wiki.quadrantsec.com/bin/view/Main/5001681 5001682 || [SYMANTEC-EMS] Error regrouping - expired key || url,wiki.quadrantsec.com/bin/view/Main/5001682 5001683 || [SYMANTEC-EMS] Error regrouping - bad parameters || url,wiki.quadrantsec.com/bin/view/Main/5001683 5001684 || [SYMANTEC-EMS] Failed to map user to a directory || url,wiki.quadrantsec.com/bin/view/Main/5001684 5001685 || [SYMANTEC-EMS] LDAP key error - name lookup failed || url,wiki.quadrantsec.com/bin/view/Main/5001685 5001686 || [CISCO-IOS] Login Failed - Brute Force [10/1] || url,wiki.quadrantsec.com/bin/view/Main/5001686 5001687 || [WINDOWS-AUTH] User account enabled || url,wiki.quadrantsec.com/bin/view/Main/5001687 5001688 || [CISCO-IOS] Low FAN RPM - Service recommended || url,wiki.quadrantsec.com/bin/view/Main/5001688 5001689 || [CISCO-WLC] Rogue AP detected [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5001689 5001692 || [WINDOWS-AUTH] Local Administrator account added to a local group || url,wiki.quadrantsec.com/bin/view/Main/5001692 5001693 || [WINDOWS-AUTH] User added to Network Config Operator group || url,wiki.quadrantsec.com/bin/view/Main/5001693 5001694 || [WINDOWS-AUTH] User added to DNS Admins group || url,wiki.quadrantsec.com/bin/view/Main/5001694 5001695 || [WINDOWS-AUTH] User added to Domain Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5001695 5001696 || [WINDOWS-AUTH] User added to Enterprise Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5001696 5001697 || [WINDOWS-AUTH] User added to Group Policy Creator Owner group || url,wiki.quadrantsec.com/bin/view/Main/5001696 5001699 || [WEB-ATTACK] Havij SQL Injection Tool Identified || url,wiki.quadrantsec.com/bin/view/Main/5001699 5001700 || [WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/5001700 5001701 || [WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x || url,wiki.quadrantsec.com/bin/view/Main/5001701 5001702 || [WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1 || url,wiki.quadrantsec.com/bin/view/Main/5001702 5001703 || [WEB-ATTACKS] SQL Injection Using Hex Encoding || url,wiki.quadrantsec.com/bin/view/Main/5001703 5001704 || [SYSLOG] password changed for user || url,wiki.quadrantsec.com/bin/view/Main/5001704 5001705 || [SYSLOG] password changed for user root || url,wiki.quadrantsec.com/bin/view/Main/5001705 5001706 || [BIND] Version attempt || url,wiki.quadrantsec.com/bin/view/Main/5001706 5001707 || [CISCO-IOS] EIGRP Adjacency Change - Neighbor Up || url,wiki.quadrantsec.com/bin/view/Main/5001707 5001708 || [CISCO-IOS] EIGRP Adjacency Change - Neighbor Down || url,wiki.quadrantsec.com/bin/view/Main/5001708 5001709 || [CISCO-IOS] Call Manager Telephony Subsystem Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5001709 5001710 || [CISCO-IOS] Call Manager Telephony Subsystem ModuleStop || url,wiki.quadrantsec.com/bin/view/Main/5001710 5001711 || [CISCO-IOS] Grammar Manager Telephony Subsystem ModuleStop || url,wiki.quadrantsec.com/bin/view/Main/5001711 5001712 || [CISCO-IOS] Cisco Unified CCX MGR Shutdown || url,wiki.quadrantsec.com/bin/view/Main/5001712 5001713 || [CISCO-IOS] Socket Manager Telephony Subsystem ModuleStart || url,wiki.quadrantsec.com/bin/view/Main/5001713 5001714 || [CISCO-PIXASA] TCP access denied by ACL - Brute force [25/1] || url, wiki.quadrantsec.com/bin/view/Main/5001714 5001715 || [CISCO-PIXASA] TCP access denied by ACL || url, wiki.quadrantsec.com/bin/view/Main/5001715 5001716 || [WINDOWS-MISC] DHCP Scope is FULL || url,wiki.quadrantsec.com/bin/view/Main/5001716 5001717 || [ORACLE] Authentication Failure || url, wiki.quadrantsec.com/bin/view/Main/5001717 5001718 || [CISCO-IOS] BGP Adjacency Change - Neighbor Up || url,wiki.quadrantsec.com/bin/view/Main/5001718 5001719 || [CISCO-IOS] BGP Adjacency Change - Neighbor Down || url,wiki.quadrantsec.com/bin/view/Main/5001719 5001720 || [CISCO-IOS] BGP Neighbor Removed From Topology || url,wiki.quadrantsec.com/bin/view/Main/5001720 5001721 || [CISCO-IOS] HSRP Requesting Active State || url,wiki.quadrantsec.com/bin/view/Main/5001721 5001722 || [CISCO-IOS] HSRP State Change || url,wiki.quadrantsec.com/bin/view/Main/5001722 5001723 || [CISCO-IOS] HSRP State Change || url,wiki.quadrantsec.com/bin/view/Main/5001723 5001724 || [CISCO-MALWARE] ZeroAccess UDP port 16464 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001724 5001725 || [CISCO-MALWARE] ZeroAccess UDP port 16465 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001725 5001726 || [CISCO-MALWARE] ZeroAccess UDP port 16470 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001726 5001727 || [CISCO-MALWARE] ZeroAccess UDP port 16471 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001727 5001728 || [WINDOWS-AUTH] Potential Windows User Enumeration - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001728 5001729 || [WINDOWS-AUTH] Windows Brute force - User Correct but Incorrect Password [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001729 5001730 || [WINDOWS-AUTH] Windows Brute force - User Is Locked Out [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001730 5001731 || [WINDOWS-AUTH] Windows Brute force - User Account Disabled [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001731 5001732 || [WINDOWS-AUTH] Windows Brute force - User Login Attempts Outside of Time Restriction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001732 5001733 || [WINDOWS-AUTH] Windows Brute force - Expired Account [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001733 5001734 || [WINDOWS-AUTH] Windows Brute force - Expired Password [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001734 5001735 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001735 5001736 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001736 5001737 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001737 5001738 || [WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001738 5001739 || [PROXY-MALWARE] Pony Trojan || url,wiki.quadrantsec.com/bin/view/Main/5001739 5001740 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001740 5001741 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001741 5001742 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001742 5001743 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001743 5001744 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001744 5001745 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001745 5001746 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001746 5001747 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001747 5001748 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001748 5001749 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001749 5001750 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001750 5001751 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001751 5001752 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001752 5001753 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001753 5001754 || [WINDOWS-AUTH] Windows DC Logon Failure - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001754 5001755 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001755 5001756 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001756 5001757 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001757 5001758 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001758 5001759 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001759 5001760 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001760 5001761 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001761 5001762 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001762 5001763 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001763 5001764 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001764 5001765 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001765 5001766 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001766 5001767 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001767 5001768 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001768 5001769 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001769 5001770 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001770 5001771 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001771 5001772 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001772 5001773 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001773 5001774 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001774 5001775 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001775 5001776 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001776 5001777 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001777 5001778 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001778 5001779 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001779 5001780 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001780 5001781 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001781 5001782 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001782 5001783 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001783 5001784 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001784 5001785 || [WINDOWS-AUTH] Windows DC Logon Failure - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5001785 5001786 || [FORTINET-MALWARE] ZeroAccess UDP port 16464 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001786 5001787 || [FORTINET-MALWARE] ZeroAccess UDP port 16465 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001787 5001788 || [FORTINET-MALWARE] ZeroAccess UDP port 16470 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001788 5001789 || [FORTINET-MALWARE] ZeroAccess UDP port 16471 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001789 5001790 || [CISCO-MALWARE] ZeroAccess pre-2012 TCP port 13620 detected [denied] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001790 5001791 || [WINDOWS-AUTH] User account created || url,wiki.quadrantsec.com/bin/view/Main/5001786 5001792 || [WEB-ATTACKS] bsqlbf Brute Force SQL Injection || url,doc.emergingthreats.net/2008362 || url,code.google.com/p/bsqlbf-v2/ 5001793 || [WEB-ATTACKS] Cisco Torch IOS HTTP Scan || url,doc.emergingthreats.net/2008415 || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,www.hackingexposedcisco.com/?link=tools 5001794 || [WEB-ATTACKS] Core-Project Scanning Bot UA Detected 5001795 || [WEB-ATTACKS] crimscanner User-Agent detected || url,doc.emergingthreats.net/2010954 5001796 || [WEB-ATTACKS] DavTest WebDav Vulnerability Scanner Default User Agent Detected || url,doc.emergingthreats.net/2011089 || url,code.google.com/p/davtest/ || url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/ 5001797 || [WEB-ATTACKS] DirBuster Web App Scan in Progress || url,doc.emergingthreats.net/2008186 || url,owasp.org 5001798 || [WEB-ATTACKS] Possible Fast-Track Tool Spidering User-Agent Detected || url,doc.emergingthreats.net/2011721 || url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes 5001799 || [WEB-ATTACKS] Suspicious User-Agent - get-minimal - Possible Vuln Scan || url,doc.emergingthreats.net/2003634 5001800 || [WEB-ATTACKS] Grabber.py Web Scan Detected || url,doc.emergingthreats.net/2009483 || url,rgaucher.info/beta/grabber/ 5001801 || [WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected [0/5] || url,doc.emergingthreats.net/2009480 || url,www.grendel-scan.com 5001802 || [WEB-ATTACKS] Hmap Webserver Fingerprint Scan || url,doc.emergingthreats.net/2008537 || url,www.ujeni.murkyroc.com/hmap/ 5001803 || [WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner || url,doc.emergingthreats.net/2008729 || url,www.scrt.ch/pages_en/minimysqlator.html 5001804 || [WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool || url,doc.emergingthreats.net/2009882 || url,code.google.com/p/mysqloit/ 5001805 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap NSE) || url,doc.emergingthreats.net/2009359 5001806 || [WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) || url,doc.emergingthreats.net/2009358 5001807 || [WEB-ATTACKS] Nessus User Agent || url,doc.emergingthreats.net/2002664 || url,www.nessus.org 5001808 || [WEB-ATTACKS] Netsparker Default User-Agent || url,www.mavitunasecurity.com/communityedition/ 5001809 || [WEB-ATTACKS] Nikto Web App Scan in Progress || url,doc.emergingthreats.net/2002677 || url,www.cirt.net/code/nikto.shtml 5001810 || [WEB-ATTACKS] Paros Proxy Scanner Detected || url,doc.emergingthreats.net/2008187 || url,www.parosproxy.org 5001811 || [WEB-ATTACKS] SQL Injection Attempt (Agent uil2pn) || url,doc.emergingthreats.net/2010215 || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html 5001812 || [WEB-ATTACKS] SQL Power Injector SQL Injection User Agent Detected || url,doc.emergingthreats.net/2009769 || url,en.wikipedia.org/wiki/Sql_injection || url,www.sqlpowerinjector.com/index.htm 5001813 || [WEB-ATTACKS] Sqlmap SQL Injection Scan || url,doc.emergingthreats.net/2008538 || url,sqlmap.sourceforge.net 5001814 || [WEB-ATTACKS] Skipfish Web Application Scan Detected || url,doc.emergingthreats.net/2010953 || url,code.google.com/p/skipfish/ || url,isc.sans.org/diary.html?storyid=8467 5001815 || [WEB-ATTACKS] Skipfish Web Application Scan Detected (2) || url,doc.emergingthreats.net/2010956 || url,code.google.com/p/skipfish/ || url,isc.sans.org/diary.html?storyid=8467 5001816 || [WEB-ATTACKS] Springenwerk XSS Scanner User-Agent Detected || url,doc.emergingthreats.net/2010508 || url,springenwerk.org/ 5001817 || [WEB-ATTACKS] Suspicious User-Agent inbound (bot) || url,doc.emergingthreats.net/bin/view/Main/2008228 5001818 || [WEB-ATTACKS] Toata Scanner User-Agent Detected || url,doc.emergingthreats.net/2009159 || url,isc.sans.org/diary.html?storyid=5599 5001819 || [WEB-ATTACKS] Tomcat Web Application Manager scanning || url,doc.emergingthreats.net/2010019 5001820 || [WEB-ATTACKS] Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner || url,doc.emergingthreats.net/2010087 || url,www.owasp.org/index.php/SQL_Injection 5001821 || [WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner || url,doc.emergingthreats.net/2010088 5001822 || [WEB-ATTACKS] Suspicious User-Agent Containing Security Scan/ner, Likely Scan || url,doc.emergingthreats.net/2010089 5001823 || [WEB-ATTACKS] w3af User Agent || url,doc.emergingthreats.net/2007757 || url,w3af.sourceforge.net 5001824 || [WEB-ATTACKS] WSFuzzer Web Application Fuzzing || url,doc.emergingthreats.net/2008628 || url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project 5001825 || [WEB-ATTACKS] Wapiti Web Server Vulnerability Scan || url,doc.emergingthreats.net/2008417 || url,wapiti.sourceforge.net/ 5001826 || [WEB-ATTACKS] WebHack Control Center User-Agent Inbound (WHCC/) || url,doc.emergingthreats.net/2003924 || url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start= 5001827 || [WEB-ATTACKS] Open-Proxy ScannerBot (webcollage-UA) || url,doc.emergingthreats.net/2010768 || url,www.botsvsbrowsers.com/details/214715/index.html || url, stateofsecurity.com/?p=526 5001828 || [WEB-ATTACKS] WebShag Web Application Scan Detected || url,doc.emergingthreats.net/2009158 || url,www.scrt.ch/pages_en/outils.html 5001829 || [WEB-ATTACKS] WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected || url,doc.emergingthreats.net/2010960 || url,www.morningstarsecurity.com/research/whatweb 5001830 || [WEB-ATTACKS] WITOOL SQL Injection Scan || url,doc.emergingthreats.net/2009833 || url,witool.sourceforge.net/ 5001831 || [WEB-ATTACKS] ZmEu exploit scanner || url,doc.emergingthreats.net/2010715 5001832 || [WEB-ATTACKS] Possible jBroFuzz Fuzzer Detected || url,doc.emergingthreats.net/2009476 || url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz 5001833 || [WEB-ATTACKS] Hydra User-Agent || url,freeworld.thc.org/thc-hydra 5001834 || [WEB-ATTACKS] Inspathx Path Disclosure Scanner User-Agent Detected || url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/ || url,code.google.com/p/inspathx/ 5001835 || [WEB-ATTACKS] Medusa User-Agent || url,www.foofus.net/~jmk/medusa/medusa.html 5001836 || [WEB-ATTACKS] DotDotPwn User-Agent || url,dotdotpwn.sectester.net 5001838 || [WEB-ATTACKS] Havij SQL Injection Tool User-Agent Inbound || url,itsecteam.com/en/projects/project1.htm 5001839 || [WEB-ATTACKS] OpenVAS User-Agent Inbound || url,openvas.org 5001840 || [WEB-ATTACKS] ZmEu Scanner User-Agent Inbound 5001841 || [WEB-ATTACKS] Internal Dummy Connection User-Agent Inbound 5001842 || [WEB-ATTACKS] DominoHunter Security Scan in Progress || url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html 5001843 || [WEB-ATTACKS] Vega Web Application Scan || url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/ || url,www.subgraph.com/products.html 5001844 || [WEB-ATTACKS] FHScan core User-Agent Detect || url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html 5001845 || [WEB-ATTACKS] w3af User-Agent 2 5001846 || [HONEYD] Connection made to honeypot || url,wiki.quadrantsec.com/bin/view/Main/5001846 5001847 || [HONEYD] Attempt to login to honeypot Telnet server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001847 5001848 || [HONEYD] Attempt to login to honeypot Telnet server as admin user [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001848 5001849 || [HONEYD] Attempt to login to honeypot FTP server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001849 5001850 || [HONEYD] Connection to honeypot IIS server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001850 5001851 || [HONEYD] Connection to honeypot Apache server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001851 5001852 || [HONEYD] Connection to honeypot SMTP server [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5001852 5001853 || [NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16464 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001853 5001854 || [NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16465 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001854 5001855 || [NFCAPD] Netflow - ZeroAccess UDP port 16470 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001855 5001856 || [NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16471 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001856 5001857 || [NFCAPD-MALWARE] Netflow - Old ZeroAccess TCP port 13620 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001857 5001858 || [CISCO-MALWARE] ZeroAccess UDP port 16464 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001858 5001859 || [CISCO-MALWARE] ZeroAccess UDP port 16465 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001859 5001860 || [CISCO-MALWARE] ZeroAccess UDP port 16470 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001860 5001861 || [CISCO-MALWARE] ZeroAccess UDP port 16471 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001861 5001862 || [CISCO-MALWARE] ZeroAccess TCP port 13620 detected [allowed] [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001862 5001863 || [WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected || url,doc.emergingthreats.net/2009480 || url,www.grendel-scan.com 5001864 || [WEB-ATTACKS] Absinthe SQL Injection Tool HTTP Header Detected || url,doc.emergingthreats.net/2009555 || url,0x90.org/releases/absinthe 5001865 || [WEB-ATTACKS] Nessus User Agent || url,doc.emergingthreats.net/2002664 || url,www.nessus.org 5001866 || [WEB-ATTACKS] Nikto Web App Scan in Progress || url,doc.emergingthreats.net/2002677 || url,www.cirt.net/code/nikto.shtml 5001867 || [FORTINET-MALWARE] Older ZeroAccess TCP port 13620 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001867 5001868 || [CISCO-GEOIP] VPN Login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001868 5001869 || [CISCO-GEOIP] Console login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001869 5001870 || [PROFTPD-GEOIP] Authentication success from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001870 5001871 || [CISCO-IOS] Command logged || url,wiki.quadrantsec.com/bin/view/Main/5001871 5001872 || [CISCO-IOS] Enable command executed || url,wiki.quadrantsec.com/bin/view/Main/5001872 5001873 || [WINDOWS-GEOIP] Windows Logon outside of HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001873 5001874 || [OPENSSH-GEOIP] Authentication success via password from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001874 5001875 || [OPENSSH-GEOIP] Authentication success via publickey from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001875 5001876 || [OPENSSH-GEOIP] Authentication success via keyboard from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001876 5001877 || [SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001877 5001878 || [SSH-TECTIA-SERVER-GEOIP] Authentication success from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001878 5001879 || [CISCO-GEOIP] Login permitted from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001879 5001880 || [WINDOWS-AUTH] User account created [FLOWBIT SET] || url,wiki.quadrantsec.com/bin/view/Main/5001880 5001881 || [WINDOWS-AUTH] User account re-enabled || url,wiki.quadrantsec.com/bin/view/Main/5001881 5001882 || [PROXY-MALWARE] Zeus bin Request 1 || url,labs.snort.org/papers/zeus.html 5001883 || [PROXY-MALWARE] Zeus bin Request 2 || url,labs.snort.org/papers/zeus.html 5001884 || [PROXY-MALWARE] Zeus bin Request 3 || url,labs.snort.org/papers/zeus.html 5001885 || [PROXY-MALWARE] Zeus bin Request 4 || url,labs.snort.org/papers/zeus.html 5001886 || [PROXY-MALWARE] Zeus bin Request 5 || url,labs.snort.org/papers/zeus.html 5001887 || [PROXY-MALWARE] Zeus bin Request 6 || url,labs.snort.org/papers/zeus.html 5001888 || [PROXY-MALWARE] Zeus bin Request 7 || url,labs.snort.org/papers/zeus.html 5001889 || [PROXY-MALWARE] Zeus bin Request 8 || url,labs.snort.org/papers/zeus.html 5001890 || [PROXY-MALWARE] Zeus bin Request 9 || url,labs.snort.org/papers/zeus.html 5001891 || [PROXY-MALWARE] Zeus bin Request 10 || url,labs.snort.org/papers/zeus.html 5001892 || [PROXY-MALWARE] Zeus bin Request 11 || url,labs.snort.org/papers/zeus.html 5001893 || [PROXY-MALWARE] Zeus bin Request 12 || url,labs.snort.org/papers/zeus.html 5001894 || [PROXY-MALWARE] Zeus bin Request 13 || url,labs.snort.org/papers/zeus.html 5001895 || [PROXY-MALWARE] Zeus bin Request 14 || url,labs.snort.org/papers/zeus.html 5001896 || [PROXY-MALWARE] Zeus bin Request 15 || url,labs.snort.org/papers/zeus.html 5001897 || [PROXY-MALWARE] Zeus bin Request 16 || url,labs.snort.org/papers/zeus.html 5001898 || [PROXY-MALWARE] Zeus bin Request 17 || url,labs.snort.org/papers/zeus.html 5001899 || [PROXY-MALWARE] Zeus bin Request 18 || url,labs.snort.org/papers/zeus.html 5001900 || [PROXY-MALWARE] Zeus bin Request 19 || url,labs.snort.org/papers/zeus.html 5001901 || [PROXY-MALWARE] Zeus bin Request 20 || url,labs.snort.org/papers/zeus.html 5001902 || [PROXY-MALWARE] Zeus bin Request 21 || url,labs.snort.org/papers/zeus.html 5001903 || [PROXY-MALWARE] Zeus bin Request 22 || url,labs.snort.org/papers/zeus.html 5001904 || [PROXY-MALWARE] Zeus bin Request 23 || url,labs.snort.org/papers/zeus.html 5001905 || [PROXY-MALWARE] Zeus bin Request 24 || url,labs.snort.org/papers/zeus.html 5001906 || [PROXY-MALWARE] Zeus bin Request 25 || url,labs.snort.org/papers/zeus.html 5001907 || [PROXY-MALWARE] Zeus bin Request 26 || url,labs.snort.org/papers/zeus.html 5001908 || [PROXY-MALWARE] Zeus bin Request 27 || url,labs.snort.org/papers/zeus.html 5001909 || [PROXY-MALWARE] Zeus bin Request 28 || url,labs.snort.org/papers/zeus.html 5001910 || [PROXY-MALWARE] Zeus bin Request 29 || url,labs.snort.org/papers/zeus.html 5001911 || [PROXY-MALWARE] Zeus bin Request 30 || url,labs.snort.org/papers/zeus.html 5001912 || [PROXY-MALWARE] Zeus bin Request 31 || url,labs.snort.org/papers/zeus.html 5001913 || [PROXY-MALWARE] Zeus bin Request 32 || url,labs.snort.org/papers/zeus.html 5001914 || [PROXY-MALWARE] Zeus bin Request 33 || url,labs.snort.org/papers/zeus.html 5001915 || [PROXY-MALWARE] Zeus bin Request 34 || url,labs.snort.org/papers/zeus.html 5001916 || [PROXY-MALWARE] Zeus bin Request 35 || url,labs.snort.org/papers/zeus.html 5001917 || [PROXY-MALWARE] Zeus bin Request 36 || url,labs.snort.org/papers/zeus.html 5001918 || [PROXY-MALWARE] Zeus php Request 1 || url,labs.snort.org/papers/zeus.html 5001919 || [PROXY-MALWARE] Zeus php Request 2 || url,labs.snort.org/papers/zeus.html 5001920 || [PROXY-MALWARE] Zeus php Request 3 || url,labs.snort.org/papers/zeus.html 5001921 || [PROXY-MALWARE] Zeus php Request 4 || url,labs.snort.org/papers/zeus.html 5001922 || [PROXY-MALWARE] Zeus php Request 5 || url,labs.snort.org/papers/zeus.html 5001923 || [PROXY-MALWARE] Zeus php Request 6 || url,labs.snort.org/papers/zeus.html 5001924 || [PROXY-MALWARE] Zeus php Request 7 || url,labs.snort.org/papers/zeus.html 5001925 || [PROXY-MALWARE] Zeus php Request 8 || url,labs.snort.org/papers/zeus.html 5001926 || [PROXY-MALWARE] Zeus php Request 9 || url,labs.snort.org/papers/zeus.html 5001927 || [PROXY-MALWARE] Zeus php Request 10 || url,labs.snort.org/papers/zeus.html 5001928 || [PROXY-MALWARE] Zeus php Request 11 || url,labs.snort.org/papers/zeus.html 5001929 || [PROXY-MALWARE] Zeus php Request 12 || url,labs.snort.org/papers/zeus.html 5001930 || [PROXY-MALWARE] Zeus php Request 13 || url,labs.snort.org/papers/zeus.html 5001931 || [PROXY-MALWARE] Zeus php Request 14 || url,labs.snort.org/papers/zeus.html 5001932 || [PROXY-MALWARE] Zeus php Request 15 || url,labs.snort.org/papers/zeus.html 5001933 || [PROXY-MALWARE] Zeus php Request 16 || url,labs.snort.org/papers/zeus.html 5001934 || [PROXY-MALWARE] Zeus php Request 17 || url,labs.snort.org/papers/zeus.html 5001935 || [PROXY-MALWARE] Zeus php Request 18 || url,labs.snort.org/papers/zeus.html 5001936 || [PROXY-MALWARE] Zeus php Request 19 || url,labs.snort.org/papers/zeus.html 5001937 || [PROXY-MALWARE] Zeus php Request 20 || url,labs.snort.org/papers/zeus.html 5001938 || [PROXY-MALWARE] Zeus php Request 21 || url,labs.snort.org/papers/zeus.html 5001939 || [PROXY-MALWARE] Zeus php Request 22 || url,labs.snort.org/papers/zeus.html 5001940 || [PROXY-MALWARE] Zeus php Request 23 || url,labs.snort.org/papers/zeus.html 5001941 || [PROXY-MALWARE] Zeus php Request 24 || url,labs.snort.org/papers/zeus.html 5001942 || [PROXY-MALWARE] Zeus php Request 25 || url,labs.snort.org/papers/zeus.html 5001943 || [LINUX-KERNEL] ReiserFS error || url,wiki.quadrantsec.com/bin/view/Main/5001943 5001944 || [LINUX-KERNEL] Unhandled error code || url,wiki.quadrantsec.com/bin/view/Main/5001944 5001945 || [LINUX-KERNEL] I/O error || url,wiki.quadrantsec.com/bin/view/Main/5001945 5001946 || [LINUX-KERNEL] hostbyte=DID_ERROR || url,wiki.quadrantsec.com/bin/view/Main/5001946 5001947 || [FORTINET-GEOIP] Login accepted from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001947 5001948 || [FORTINET-GEOIP] Administrator Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001948 5001949 || [FORTINET-GEOIP] Admin authentication success outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001949 5001950 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001950 5001951 || [WINDOWS-MALWARE] Black POS Malware Detected [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001951 5001952 || [CISCO-IOS] Login Success || url,wiki.quadrantsec.com/bin/view/Main/5001952 5001954 || [OPENSSH] SYSLOG Authentication failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001954 5001955 || [FATPIPE] Login Success || url,wiki.quadrantsec.com/bin/view/Main/5001955 5001956 || [FATPIPE] Login Success - ADMINISTRATOR || url,wiki.quadrantsec.com/bin/view/Main/5001956 5001957 || [FATPIPE] Login Failed || url,wiki.quadrantsec.com/bin/view/Main/5001957 5001958 || [FATPIPE] Login Failed - Brute Force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001958 5001959 || [FATPIPE-GEOIP] Login Success from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001959 5001960 || [FATPIPE-GEOIP] Login Success - ADMINISTRATOR - from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001960 5001961 || [SYSLOG] Redhat Linux not updating || url,wiki.quadrantsec.com/bin/view/Main/5001961 5001962 || [CISCO-GEOIP] VPN disconnect from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001962 5001963 || [CISCO-PIXASA] WebVPN console/admin failed || url, wiki.quadrantsec.com/bin/view/Main/5001963 5001964 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001964 5001965 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16464 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001965 5001966 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16465 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001966 5001967 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16470 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001967 5001968 || [CISCO-MALWARE] ACE ZeroAccess UDP port 16471 detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001968 5001969 || [CISCO-MALWARE] ACE ZeroAccess pre-2012 TCP port 13620 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001969 5001970 || [FORTINET] SSH traffic detected || url,wiki.quadrantsec.com/bin/view/Main/5001970 5001971 || [FORTINET-GEOIP] SSH traffic detected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5001971 5001972 || [SYSLOG] SCSI task abort || url,wiki.quadrantsec.com/bin/view/Main/5001972 5001973 || [SYSLOG] Remounting filesystem read-only || url,wiki.quadrantsec.com/bin/view/Main/5001973 5001974 || [OPENSSH] Fail2Ban SSH Suspicious Activity || url,wiki.quadrantsec.com/bin/view/Main/5001974 5001975 || [CISCO-ACS] Failed Login Attempt [CisACS] || url,wiki.quadrantsec.com/bin/view/Main/5001975 5001976 || [CISCO-ACS] Failed Login Attempt - Brute force [CisACS] [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5001976 5001977 || [CISCO-GEOIP] ACS Login success from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001977 5001978 || [WINDOWS-AUTH] Account locked out (ADMINISTRATOR) || url,wiki.quadrantsec.com/bin/view/Main/5001978 5001979 || [FILE-GEOIP] Executable Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001979 5001980 || [FILE-GEOIP] Java Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001980 5001981 || [FILE-GEOIP] Jar/Zip Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001981 5001982 || [FILE-GEOIP] PDF Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001982 5001983 || [FILE-GEOIP] Flash Downloaded from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5001983 5001984 || [NFCAPD] Possible IRC detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001984 5001985 || [NFCAPD] Possible IRC detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001985 5001986 || [NFCAPD] Possible IRC - Port 6660 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001986 5001987 || [NFCAPD] Possible IRC - Port 6661 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001987 5001988 || [NFCAPD] Possible IRC - Port 6662 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001988 5001989 || [NFCAPD] Possible IRC - Port 6663 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001989 5001990 || [NFCAPD] Possible IRC - Port 6664 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001990 5001991 || [NFCAPD] Possible IRC - Port 6665 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001991 5001992 || [NFCAPD] Possible IRC - Port 6666 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001992 5001993 || [NFCAPD] Possible IRC - Port 6668 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001993 5001994 || [NFCAPD] Possible IRC - Port 6669 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001994 5001995 || [NFCAPD] Possible IRC - Port 7000 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001995 5001996 || [NFCAPD] PUSH/ACK Traffic Detected [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001996 5001997 || [NFCAPD] PUSH/ACK Traffic Detected - Port 2222 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001997 5001998 || [NFCAPD] Telnet Traffic Detected via PUSH/ACK [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5001998 5001999 || [WINDOWS-MALWARE] Suspicious misspelled process || url,wiki.quadrantsec.com/bin/view/Main/5001999 5002000 || [WINDOWS-MALWARE] Lower case drive letter used in process || url,wiki.quadrantsec.com/bin/view/Main/5002000 5002001 || [WINDOWS-MALWARE] Incorrect path called for svchost.exe || url,wiki.quadrantsec.com/bin/view/Main/5002001 5002002 || [WINDOWS-MALWARE] Incorrect path called for explorer.exe || url,wiki.quadrantsec.com/bin/view/Main/5002002 5002003 || [WINDOWS-MALWARE] Suspicious application crash || url,wiki.quadrantsec.com/bin/view/Main/5002003 5002006 || [WINDOWS-MALWARE] Suspicious Tool Event || url,wiki.quadrantsec.com/bin/view/Main/5002006 5002007 || [WINDOWS-MALWARE] Virus Found! || url,wiki.quadrantsec.com/bin/view/Main/5002007 5002011 || [WINDOWS-MALWARE] System protection disabled || url,wiki.quadrantsec.com/bin/view/Main/5002011 5002014 || [WINDOWS-MISC] System shutdown [FLOWBIT SET] || url,wiki.quadrantsec.com/bin/view/Main/5002014 5002015 || [WINDOWS-AUTH] RDP / Logon type 10 || url,wiki.quadrantsec.com/bin/view/Main/5002015 5002016 || [WINDOWS-GEOIP] RDP / Logon type 10 from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002016 5002017 || [WINDOWS-AUTH] Pass-The-Hash detected! || url, http://en.wikipedia.org/wiki/Pass_the_hash || url,wiki.quadrantsec.com/bin/view/Main/5002017 5002018 || [WINDOWS-AUTH] Logon attempt using explicit credentials || url,wiki.quadrantsec.com/bin/view/Main/5002018 5002020 || [WINDOWS-GEOIP] Logon attempt using explicit credentials from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002020 5002022 || [JUNIPER] VPN Login failed || url,wiki.quadrantsec.com/bin/view/Main/5002022 5002023 || [JUNIPER] VPN Login failed - Brute Force [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5002023 5002024 || [JUNIPER] Possible VPN Login bypass attempt || url,wiki.quadrantsec.com/bin/view/Main/5002024 5002025 || [JUNIPER] VPN Unable to download virus signatures || url,wiki.quadrantsec.com/bin/view/Main/5002025 5002026 || [JUNIPER] VPN - Possible scan/probe || url,wiki.quadrantsec.com/bin/view/Main/5002026 5002027 || [JUNIPER] VPN - Policy violation || url,wiki.quadrantsec.com/bin/view/Main/5002027 5002028 || [JUNIPER-GEOIP] VPN Login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002028 5002029 || [JUNIPER-GEOIP] VPN Logout from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002029 5002030 || [RIVERBED] Administrator Login || url,wiki.quadrantsec.com/bin/view/Main/5002030 5002031 || [RIVERBED] Administrator Login Failure || url,wiki.quadrantsec.com/bin/view/Main/5002031 5002032 || [RIVERBED-GEOIP] Administrator Login outside of HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002032 5002033 || [RIVERBED] Administrator Login Failure - Brute Force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002033 5002034 || [CISCO-AETAS] VPN Login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002034 5002035 || [CISCO-AETAS] Console login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002035 5002036 || [CISCO-AETAS] Login permitted at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002036 5002037 || [CISCO-AETAS] WebVPN login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002037 5002038 || [CISCO-AETAS] VPN disconnect at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002038 5002039 || [CISCO-AETAS] VPN login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002039 5002040 || [CISCO-AETAS] ACS Login success at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002040 5002041 || [FATPIPE-AETAS] Login Success at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002041 5002042 || [FATPIPE-AETAS] Login Success - ADMINISTRATOR - at supicious time || url,wiki.quadrantsec.com/bin/view/Main/5002042 5002043 || [FORTINET-AETAS] Login accepted at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002043 5002044 || [FORTINET-AETAS] Administrator Login at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002044 5002045 || [FORTINET-AETAS] Admin authentication access at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002045 5002046 || [FORTINET-AETAS] SSH traffic detected at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002046 5002047 || [JUNIPER-AETAS] VPN Login at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002047 5002048 || [JUNIPER-AETAS] VPN Logout at suspicious time || url, wiki.quadrantsec.com/bin/view/Main/5002048 5002049 || [OPENSSH-AETAS] Authentication success via password at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002049 5002050 || [OPENSSH-AETAS] Authentication success via publickey at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002050 5002051 || [OPENSSH-AETAS] Authentication success via keyboard at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002051 5002052 || [PROFTPD-AETAS] Authentication success at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002052 5002053 || [RIVERBED-AETAS] Administrator Login at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002053 5002054 || [SSH-TECTIA-SERVER-AETAS] Authentication success at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002054 5002055 || [WINDOWS-GEOIP] Windows Logon at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002055 5002056 || [WINDOWS-GEOIP] RDP / Logon type 10 at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002056 5002057 || [WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time || url,wiki.quadrantsec.com/bin/view/Main/5002057 5002058 || [CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2] || url, wiki.quadrantsec.com/bin/view/Main/5002058 5002059 || [CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002059 5002060 || [CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002060 5002061 || [PROXY-MALWARE] Tor2www Request || url,www.tor2www.com 5002062 || [PROXY-MALWARE] Tor2web Request || url,www.tor2web.org 5002063 || [BRO] SSH Password_Guessing [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002063 5002064 || [BRO] TeamCymruMalwareHashRegistry Match || url,www.team-cymru.org/Services/MHR/ 5002065 || [BRO] HTTP SQL_Injection_Attacker || url,wiki.quadrantsec.com/bin/view/Main/5002065 5002066 || [BRO] HTTP SQL_Injection_Victim || url,wiki.quadrantsec.com/bin/view/Main/5002066 5002067 || [BRO] SSH Login_By_Password_Guesser || url,wiki.quadrantsec.com/bin/view/Main/5002067 5002068 || [BRO] SSH Watched_Country_Login || url,wiki.quadrantsec.com/bin/view/Main/5002068 5002069 || [BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5002069 5002070 || [BRO] 10+ unable to get local issuer certificate in 30 seconds [10/5] || url,wiki.quadrantsec.com/bin/view/Main/5002070 5002071 || [BRO] ZeroAccess ZeroAccess_Client [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002070 5002072 || [BRO] Probable LURK0 RAT C&C Access || url,wiki.quadrantsec.com/bin/view/Main/5002072 5002073 || [BRO] Sidejacking attach detected || url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro || url,wiki.quadrantsec.com/bin/view/Main/5002073 5002074 || [BRO] Bitcoin Miner [0/10] || url,wiki.quadrantsec.com/bin/view/Main/5002074 5002075 || [IMAPD-GEOIP] Login from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002075 5002076 || [IMAPD-GEOIP] Logout from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002076 5002077 || [IMAPD-GEOIP] Timeout from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002077 5002078 || [IMAPD-GEOIP] Disconnect from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002078 5002079 || [IMAPD-GEOIP] Connection from outside HOME_COUNTRY || url, wiki.quadrantsec.com/bin/view/Main/5002079 5002080 || [ARTILLERY] General Artillery Message || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002080 5002081 || [ARTILLERY] FTP brute force violation || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002081 5002082 || [ARTILLERY] Issue identified - Permissions not set as root || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002082 5002083 || [ARTILLERY] Issue identified - vsftp.conf Anonymous FTP allowed || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002083 5002084 || [ARTILLERY] Issue identified - SSH running on default TCP port 22 || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002084 5002085 || [ARTILLERY] Issue identified - sshd_config allows RootLogin || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002085 5002086 || [ARTILLERY] Honeyport blocked/blacklisted address || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002086 5002087 || [ARTILLERY] Honeyport attack detected || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002087 5002088 || [ARTILLERY] File changes have occured || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002088 5002089 || [ARTILLERY] SSH brute force violation || url,www.trustedsec.com/downloads/artillery || url,wiki.quadrantsec.com/bin/view/Main/5002089 5002090 || [WINDOWS-APPLOCKER] Allowed program to execute || url,wiki.quadrantsec.com/bin/view/Main/5002090 5002091 || [WINDOWS-APPLOCKER] Application blocked || url,wiki.quadrantsec.com/bin/view/Main/5002091 5002092 || [WINDOWS-APPLOCKER] Allowed an MSI or script to execute || url,wiki.quadrantsec.com/bin/view/Main/5002092 5002093 || [WINDOWS-APPLOCKER] Allowed MSI/Script, but would have blocked || url,wiki.quadrantsec.com/bin/view/Main/5002093 5002094 || [WINDOWS-APPLOCKER] Prevent MSI/Script to execute || url,wiki.quadrantsec.com/bin/view/Main/5002094 5002095 || [WINDOWS-APPLOCKER] Package application allowed || url,wiki.quadrantsec.com/bin/view/Main/5002095 5002096 || [WINDOWS-APPLOCKER] Package application audited || url,wiki.quadrantsec.com/bin/view/Main/5002096 5002097 || [WINDOWS-APPLOCKER] Package application disabled || url,wiki.quadrantsec.com/bin/view/Main/5002097 5002098 || [WINDOWS-APPLOCKER] Package application installation allowed || url,wiki.quadrantsec.com/bin/view/Main/5002098 5002099 || [WINDOWS-APPLOCKER] Package application installation audited || url,wiki.quadrantsec.com/bin/view/Main/5002099 5002100 || [WINDOWS-APPLOCKER] Package application installation disabled || url,wiki.quadrantsec.com/bin/view/Main/5002100 5002101 || [WINDOWS-EMET] Detected Caller mitigation/will close application || url,wiki.quadrantsec.com/bin/view/Main/5002101 5002102 || [WINDOWS-EMET] EMET process stopped, but not due to reboot || url,wiki.quadrantsec.com/bin/view/Main/5002102 5002103 || [WINDOWS-MALWARE] RASWMI Malware process detected || url,wiki.quadrantsec.com/bin/view/Main/5002103 5002104 || [CISCO-WLC] Bcast Deauth || url,wiki.quadrantsec.com/bin/view/Main/5002104 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002105 || [CISCO-WLC] Null probe resp 1 || url,wiki.quadrantsec.com/bin/view/Main/5002105 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002106 || [CISCO-WLC] Null probe resp 2 || url,wiki.quadrantsec.com/bin/view/Main/5002106 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002107 || [CISCO-WLC] Assoc Flood || url,wiki.quadrantsec.com/bin/view/Main/5002107 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002108 || [CISCO-WLC] Reassoc Flood || url,wiki.quadrantsec.com/bin/view/Main/5002108 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002109 || [CISCO-WLC] Broadcast Probe flood || url,wiki.quadrantsec.com/bin/view/Main/5002109 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002110 || [CISCO-WLC] Disassoc flood || url,wiki.quadrantsec.com/bin/view/Main/5002110 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002111 || [CISCO-WLC] Deauth flood || url,wiki.quadrantsec.com/bin/view/Main/5002111 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002112 || [CISCO-WLC] Res mgmt 6 & 7 || url,wiki.quadrantsec.com/bin/view/Main/5002112 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002113 || [CISCO-WLC] Res mgmt D || url,wiki.quadrantsec.com/bin/view/Main/5002113 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002114 || [CISCO-WLC] Res mgmt E & F || url,wiki.quadrantsec.com/bin/view/Main/5002114 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002115 || [CISCO-WLC] EAPOL flood || url,wiki.quadrantsec.com/bin/view/Main/5002115 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002116 || [CISCO-WLC] NetStumbler 3.2.0 detected || url,wiki.quadrantsec.com/bin/view/Main/5002116 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002117 || [CISCO-WLC] NetStumbler 3.2.3 detected || url,wiki.quadrantsec.com/bin/view/Main/5002117 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002118 || [CISCO-WLC] NetStumbler 3.3.0 detected || url,wiki.quadrantsec.com/bin/view/Main/5002118 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002119 || [CISCO-WLC] NetStumbler generic detected || url,wiki.quadrantsec.com/bin/view/Main/5002119 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002120 || [CISCO-WLC] Wellenreiter detected || url,wiki.quadrantsec.com/bin/view/Main/5002120 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002121 || [CISCO-WLC] Big NAV Dos attack || url,wiki.quadrantsec.com/bin/view/Main/5002121 || url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html 5002122 || [CISCO-PRIME] BIG NAV DOS Attack || url,wiki.quadrantsec.com/bin/view/Main/5002122 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002123 || [CISCO-PRIME] Rogue AP detect and contained || url,wiki.quadrantsec.com/bin/view/Main/5002123 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002124 || [CISCO-PRIME] Rogue AP detected exceed theshold || url,wiki.quadrantsec.com/bin/view/Main/5002124 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002125 || [CISCO-PRIME] SNMP Authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002125 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002126 || [CISCO-PRIME] Authentication failure by local management user/MAC || url,wiki.quadrantsec.com/bin/view/Main/5002126 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002127 || [CISCO-PRIME] Rogue AP or ADHOC detected || url,wiki.quadrantsec.com/bin/view/Main/5002127 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002128 || [CISCO-PRIME] Rogue AP on the network! || url,wiki.quadrantsec.com/bin/view/Main/5002128 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002129 || [CISCO-PRIME] Rogue AP has been removed || url,wiki.quadrantsec.com/bin/view/Main/5002129 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002130 || [CISCO-PRIME] Internal high temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002130 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002131 || [CISCO-PRIME] Internal low temperature detected! || url,wiki.quadrantsec.com/bin/view/Main/5002131 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002132 || [CISCO-PRIME] Station authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002132 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002133 || [CISCO-PRIME] Station association failure || url,wiki.quadrantsec.com/bin/view/Main/5002133 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002134 || [CISCO-PRIME] Station blacklisted || url,wiki.quadrantsec.com/bin/view/Main/5002134 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002135 || [CISCO-PRIME] Duplicate IP address assigned to controller || url,wiki.quadrantsec.com/bin/view/Main/5002135 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002136 || [CISCO-PRIME] Possible brute force from management user! || url,wiki.quadrantsec.com/bin/view/Main/5002136 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002137 || [CISCO-PRIME] Rogue ADHOC contained || url,wiki.quadrantsec.com/bin/view/Main/5002137 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002138 || [CISCO-PRIME] Rogue AP auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002138 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002140 || [CISCO-PRIME] Trusted AP has invalid encryption || url,wiki.quadrantsec.com/bin/view/Main/5002140 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002141 || [CISCO-PRIME] Trusted AP has invalid radio policy || url,wiki.quadrantsec.com/bin/view/Main/5002141 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002142 || [CISCO-PRIME] Trusted AP has invalid SSID || url,wiki.quadrantsec.com/bin/view/Main/5002142 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002143 || [CISCO-PRIME] Trusted AP missing || url,wiki.quadrantsec.com/bin/view/Main/5002143 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002144 || [CISCO-PRIME] AP impersionation detected! || url,wiki.quadrantsec.com/bin/view/Main/5002144 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002145 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002145 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002146 || [CISCO-PRIME] WIDS / Signature attack detected! || url,wiki.quadrantsec.com/bin/view/Main/5002146 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002147 || [CISCO-PRIME] MESH Console login || url,wiki.quadrantsec.com/bin/view/Main/5002147 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002148 || [CISCO-PRIME] MESH authorization failure || url,wiki.quadrantsec.com/bin/view/Main/5002148 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002149 || [CISCO-PRIME] Shun client alert from IDS/IPS appliance! || url,wiki.quadrantsec.com/bin/view/Main/5002149 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002150 || [CISCO-PRIME] MFP anomaly detected || url,wiki.quadrantsec.com/bin/view/Main/5002150 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002151 || [CISCO-PRIME] MESH authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002151 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002152 || [CISCO-PRIME] GUEST user created on controller || url,wiki.quadrantsec.com/bin/view/Main/5002152 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002153 || [CISCO-PRIME] GUEST user authenticated || url,wiki.quadrantsec.com/bin/view/Main/5002153 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002154 || [CISCO-PRIME] GUEST user logoff || url,wiki.quadrantsec.com/bin/view/Main/5002154 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002155 || [CISCO-PRIME] SI Security trap raised! || url,wiki.quadrantsec.com/bin/view/Main/5002155 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002156 || [CISCO-PRIME] Cooling fan failure [MSE-3355] || url,wiki.quadrantsec.com/bin/view/Main/5002156 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002157 || [CISCO-PRIME] Friendly rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002157 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002158 || [CISCO-PRIME] Friendly rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002158 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002159 || [CISCO-PRIME] Unclassified rogue AP detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002159 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002160 || [CISCO-PRIME] Unclassified rogue AP detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002160 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002161 || [CISCO-PRIME] Unclassified rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002161 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002162 || [CISCO-PRIME] Unclassified rogue AP detected || url,wiki.quadrantsec.com/bin/view/Main/5002162 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002163 || [CISCO-PRIME] Malicious rogue AP detected on the network || url,wiki.quadrantsec.com/bin/view/Main/5002163 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002164 || [CISCO-PRIME] Malicious rogue AP detected on the network contained || url,wiki.quadrantsec.com/bin/view/Main/5002164 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002165 || [CISCO-PRIME] Malicious rogue AP detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002165 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002166 || [CISCO-PRIME] Malicious rogue AP || url,wiki.quadrantsec.com/bin/view/Main/5002166 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002167 || [CISCO-PRIME] Rogue ADHOC detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002167 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002168 || [CISCO-PRIME] Rogue ADHOC detected on network contained || url,wiki.quadrantsec.com/bin/view/Main/5002168 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002170 || [CISCO-PRIME] Rogue AP state change || url,wiki.quadrantsec.com/bin/view/Main/5002170 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002171 || [CISCO-PRIME] Rogue detected || url,wiki.quadrantsec.com/bin/view/Main/5002171 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002172 || [CISCO-PRIME] Rogue detected contained || url,wiki.quadrantsec.com/bin/view/Main/5002172 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002173 || [CISCO-PRIME] Rogue detected on network || url,wiki.quadrantsec.com/bin/view/Main/5002173 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002174 || [CISCO-PRIME] Rogue auto contained || url,wiki.quadrantsec.com/bin/view/Main/5002174 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002175 || [CISCO-PRIME] User authentication failure || url,wiki.quadrantsec.com/bin/view/Main/5002175 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002176 || [CISCO-PRIME] WIPS Event! || url,wiki.quadrantsec.com/bin/view/Main/5002176 || url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html 5002177 || [OPENSSH-CORRELATED] SSH login success after brute force attack! || url,wiki.quadrantsec.com/bin/view/Main/5002176 5002178 || [OPENSSH-CORRELATED] Accepted publickey after brute force attack! || url,wiki.quadrantsec.com/bin/view/Main/5002178 5002179 || [BASH] Remote execution attempt via CVE-2014-6271 || url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 || url,wiki.quadrantsec.com/bin/view/Main/5002179 5002180 || [APACHE] Remote execution attempt via CVE-2014-6271 || url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 || url,wiki.quadrantsec.com/bin/view/Main/5002180 5002181 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002182 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002183 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002184 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002185 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002186 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002187 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002188 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002189 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002190 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002191 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002192 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002193 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002194 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002195 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002196 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002197 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002198 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002199 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002200 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002201 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002202 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002203 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002204 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002205 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002206 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002207 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002208 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002209 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002210 || [APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF || url,www.invisiblethreat.ca/2014/09/cve-2014-6271/ 5002211 || [APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF || url,www.invisiblethreat.ca/2014/09/cve-2014-6271/ 5002212 || [APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11 || url,blogs.akamai.com/2014/09/environment-bashing.html 5002213 || [WINDOWS-AUTH] User account disabled || url,wiki.quadrantsec.com/bin/view/Main/5002213 5002214 || [PROXY-MALWARE] Fiesta malware request || url,wiki.quadrantsec.com/bin/view/Main/5002214 5002215 || [WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002215 5002216 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002216 5002217 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002217 5002218 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002218 5002219 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5002219 5002220 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5002220 5002222 || [WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5002222 5002223 || [WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002223 5002224 || [WINDOWS-BROINTEL] RDP / Logon type 10 from a Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002224 5002225 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002225 5002226 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002226 5002227 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002227 5002228 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5002228 5002229 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5002229 5002230 || [WINDOWS-BROINTEL] Login failure - Account locked from a Bro Intel listed IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002230 5002231 || [WINDOWS-BROINTEL] Windows DC Logon Failure from a Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002231 5002240 || [CISCO-BLACKLIST] VPN Login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002240 5002241 || [CISCO-BLACKLIST] Console login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002241 5002242 || [CISCO-BLACKLIST] Login permitted from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002242 5002243 || [CISCO-BLACKLIST] WebVPN login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002243 5002244 || [CISCO-BLACKLIST] VPN disconnect from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002244 5002245 || [CISCO-BLACKLIST] VPN login from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002245 5002246 || [CISCO-BLACKLIST] ACS Login success from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002246 5002247 || [CISCO-BLACKLIST] VPN login from blacklisted IP [2] || url, wiki.quadrantsec.com/bin/view/Main/5002247 5002248 || [CISCO-BLACKLIST] FTP file transfer from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002248 5002249 || [CISCO-BLACKLIST] FTP file transfer from blacklisted IP || url, wiki.quadrantsec.com/bin/view/Main/5002249 5002250 || [CISCO-BROINTEL] VPN Login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002250 5002251 || [CISCO-BROINTEL] Console login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002251 sid: 5002251 5002252 || [CISCO-BROINTEL] Login permitted from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002252 5002253 || [CISCO-BROINTEL] WebVPN login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002253 5002254 || [CISCO-BROINTEL] VPN disconnect from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002254 5002255 || [CISCO-BROINTEL] VPN login from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002255 5002256 || [CISCO-BROINTEL] ACS Login success from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002256 5002257 || [CISCO-BROINTEL] VPN login from Bro Intel IP [2] || url, wiki.quadrantsec.com/bin/view/Main/5002257 5002258 || [CISCO-BROINTEL] FTP file transfer from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002258 5002259 || [CISCO-BROINTEL] FTP file transfer from Bro Intel IP || url, wiki.quadrantsec.com/bin/view/Main/5002259 5002260 || [CITRIX-GEOIP] Login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002260 || url,support.citrix.com/article/CTX123875 5002261 || [CITRIX-BLACKLIST] Login from outside blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002261 || url,support.citrix.com/article/CTX123875 5002262 || [CITRIX-BROINTEL] Login from outside Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002262 || url,support.citrix.com/article/CTX123875 5002264 || [WINDOWS-OWA] Login failure - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002264 5002265 || [WINDOWS-OWA-GEOIP] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002265 5002266 || [WINDOWS-OWA-BROINTEL] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002266 5002267 || [WINDOWS-OWA-BLACKLIST] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002267 5002270 || [BRO-INTEL] Suspicious communications detected via Bro-Intel || url,wiki.quadrantsec.com/bin/view/Main/5002270 5002271 || [BLACKLIST] Suspicious communications detected via Blacklist || url,wiki.quadrantsec.com/bin/view/Main/5002271 5002272 || [WINDOWS] A directory service object was modified 5002273 || [WINDOWS] A directory service object was created 5002274 || [WINDOWS] A directory service object was undeleted 5002275 || [WINDOWS] A directory service object was moved 5002276 || [NeXpose] Scan paused || url,wiki.quadrantsec.com/bin/view/Main/5002276 5002277 || [NeXpose] Scan failed || url,wiki.quadrantsec.com/bin/view/Main/5002277 5002278 || [LINUX-KERNEL] Hard drive/RAID - FAILED abort on device || url,wiki.quadrantsec.com/bin/view/Main/5002278 5002279 || [LINUX-KERNEL] Hard drive/RAID - probably means device no longer present || url,wiki.quadrantsec.com/bin/view/Main/5002279 5002280 || [CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002280 || url,support.citrix.com/article/CTX123875 5002281 || [CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002281 || url,support.citrix.com/article/CTX123875 5002282 || [CITRIX-BROINTEL] AAA LOGIN_FAILED from Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002282 || url,support.citrix.com/article/CTX123875 5002284 || [CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002284 || url,support.citrix.com/article/CTX123875 5002285 || [CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP || url,wiki.quadrantsec.com/bin/view/Main/5002285 || url,support.citrix.com/article/CTX123875 5002286 || [CITRIX-BROINTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002286 || url,support.citrix.com/article/CTX123875 5002288 || [BLUEDOT] Suspicious IP detected via Bluedot || url,wiki.quadrantsec.com/bin/view/Main/5002288 5002289 || [NeXpose] Scan stopped || url,wiki.quadrantsec.com/bin/view/Main/5002289 5002291 || [NFCAPD] Possible BitTorrent - Port 6881 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002291 5002294 || [NFCAPD] Possible BitTorrent - Port 6884 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002294 5002295 || [NFCAPD] Possible BitTorrent - Port 6885 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002295 5002296 || [NFCAPD] Possible BitTorrent - Port 6886 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002296 5002297 || [NFCAPD] Possible BitTorrent - Port 6887 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002297 5002298 || [NFCAPD] Possible BitTorrent - Port 6888 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002298 5002299 || [NFCAPD] Possible BitTorrent - Port 6889 [5/5] || url, wiki.quadrantsec.com/bin/view/Main/5002299 5002300 || [NFCAPD] Possible TOR - Port 9001 || url, torstatus.blutmagie.de || url, wiki.quadrantsec.com/bin/view/Main/5002300 5002301 || [NFCAPD] Possible TOR - Port 9030 after Port 9001 || url, torstatus.blutmagie.de || url, wiki.quadrantsec.com/bin/view/Main/5002301 5002302 || [NFCAPD] Possible TOR - Port 443 after Port 9001 || url, torstatus.blutmagie.de || url, wiki.quadrantsec.com/bin/view/Main/5002302 5002303 || [BASH] History hiding 5002304 || [BASH] History hiding 5002306 || [BASH] Netcat execution 5002308 || [BASH] Python subproces execution 5002309 || [BASH] PHP socket execution 5002310 || [BASH] PHP subproces execution 5002311 || [BASH] Perl socket execution 5002312 || [BASH] Perl subproces execution 5002313 || [BASH] Ruby socket execution 5002314 || [BASH] Ruby subproces execution 5002315 || [BASH] mknod execution [FLOWBIT SET] 5002316 || [BASH] telnet reverse shell execution 5002317 || [BASH] /dev/tcp access 5002318 || [BASH] /dev/udp access 5002319 || [BASH] csh shell execution 5002320 || [BASH] ksh shell execution 5002321 || [BASH] tcsh shell execution 5002322 || [BASH] zsh shell execution 5002323 || [BASH] stunnel execution 5002324 || [BASH] SSH agent forwarding 5002325 || [BASH] SSH dynamic forwarding 5002326 || [BASH] SSH GSSAPI forwarding 5002327 || [BASH] SSH local forwarding 5002328 || [BASH] SSH remote forwarding 5002329 || [BASH] SSH input and output forwarding 5002330 || [BASH] SSH tunnel forwarding 5002331 || [BASH] SSH X11 forwarding 5002332 || [BASH] SSH X11 trusted forwarding 5002333 || [BASH] LD_PRELOAD environment variable access 5002334 || [BASH] LD_LIBRARY_PATH environment variable access 5002335 || [WINDOWS-AUTH] User account deleted || url,wiki.quadrantsec.com/bin/view/Main/5002335 5002336 || [WINDOWS-CORRELATED] Successful RDP login from known brute force || url,wiki.quadrantsec.com/bin/view/Main/5002336 5002337 || [WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002337 5002338 || [WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002338 5002339 || [WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002339 5002340 || [WINDOWS-GEOIP] Explicit Windows Logon || url,wiki.quadrantsec.com/bin/view/Main/5002340 5002341 || [CITRIX-BLUEDOT] Login from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002341 || url,support.citrix.com/article/CTX123875 5002342 || [CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002342 || url,support.citrix.com/article/CTX123875 5002343 || [CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002343 || url,support.citrix.com/article/CTX123875 5002344 || [WINDOWS-BLUEDOT] RDP / Logon type 10 from a Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002344 5002345 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002345 5002346 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP [Time restriction] [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002346 5002347 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account currently disabled [0/5] || url,wiki.quadrantsec.com/bin/view/Main/5002347 5002348 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Specified account expired || url,wiki.quadrantsec.com/bin/view/Main/5002348 5002349 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - User not allowed to login at this computer || url,wiki.quadrantsec.com/bin/view/Main/5002349 5002350 || [WINDOWS-BLUEDOT] Login failure from Bluedot listed IP - Account locked [0/1] || url,wiki.quadrantsec.com/bin/view/Main/5002350 5002351 || [WINDOWS-BLUEDOT] Windows DC Logon Failure from Bluedot listed IP || url,wiki.quadrantsec.com/bin/view/Main/5002351 5002352 || [WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002352 5002353 || [OPENSSH-CORRELATED] Authentication success via password after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002353 5002354 || [OPENSSH-CORRELATED] Authentication success via public key after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002354 5002355 || [OPENSSH-CORRELATED] Authentication success via keyboard-interactive after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002355 5002356 || [WINDOWS-CORRELATED] RDP login after suspicious traffic || url,wiki.quadrantsec.com/bin/view/Main/5002356 5002357 || [CITRIX-CORRELATED] Login after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002357 || url,support.citrix.com/article/CTX123875 5002358 || [CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002358 || url,support.citrix.com/article/CTX123875 5002359 || [CITRIX-CORRELATED] SSLVPN HTTPREQUEST after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002359 || url,support.citrix.com/article/CTX123875 5002360 || [CISCO-CORRELATED] Console login after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002360 5002361 || [CISCO-CORRELATED] Login permitted after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002361 5002362 || [CISCO-CORRELATED] VPN login after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002362 5002363 || [CISCO-CORRELATED] VPN disconnect after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002363 5002364 || [CISCO-CORRELATED] VPN login after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002364 5002365 || [CISCO-CORRELATED] ACS Login success after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002365 5002366 || [CISCO-CORRELATED] VPN login after suspicious activity [2] || url, wiki.quadrantsec.com/bin/view/Main/5002366 5002367 || [CISCO-CORRELATED] FTP file transfer after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002367 5002368 || [CISCO-CORRELATED] FTP file transfer after suspicious activity [2] || url, wiki.quadrantsec.com/bin/view/Main/5002368 5002369 || [FATPIPE-CORRELATED] Login Success after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002369 5002370 || [FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002370 5002371 || [FORTINET-CORRELATED] Login accepted after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002371 5002372 || [FORTINET-CORRELATED] Administrator Login after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002372 5002373 || [FORTINET-CORRELATED] Admin authentication success after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002373 5002374 || [FORTINET-CORRELATED] SSH traffic detected after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002374 5002375 || [IMAPD-CORRELATED] Login after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002375 5002376 || [IMAPD-CORRELATED] Logout after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002376 5002377 || [IMAPD-CORRELATED] Timeout after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002377 5002378 || [IMAPD-CORRELATED] Disconnect after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002378 5002379 || [IMAPD-CORRELATED] Connection after suspicious activity || url, wiki.quadrantsec.com/bin/view/Main/5002379 5002380 || [SSH-TECTIA-SERVER-CORRELATED] Authentication success after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002380 5002381 || [VMWARE-GEOIP] User login successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002381 5002382 || [VMWARE-GEOIP] User login successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002382 5002383 || [VMWARE-GEOIP] User login successful || url,wiki.quadrantsec.com/bin/view/Main/5002383 5002384 || [VMWARE-CORRELATED] User login successful after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002384 5002385 || [VMWARE-CORRELATED] User login successful after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002385 5002386 || [VMWARE-CORRELATED] User login successful after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002386 5002387 || [VSFTPD-GEOIP] Authentication successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002387 5002388 || [VSFTPD-GEOIP] File uploaded from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002388 5002389 || [VSFTPD-CORRELATED] Authentication successful from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002389 5002390 || [VSFTPD-CORRELATED] File uploaded from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002390 5002391 || [WINDOWS-OWA-CORRELATED] Login failure after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002391 5002392 || [WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures || url,wiki.quadrantsec.com/bin/view/Main/5002392 5002393 || [COURIER] Timeout || url,wiki.quadrantsec.com/bin/view/Main/5002393 5002394 || [COURIER-GEOIP] Authentication failure from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002394 5002395 || [COURIER-GEOIP] Logout/disconnect from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002395 5002396 || [COURIER-GEOIP] User login from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002396 5002397 || [COURIER-GEOIP] Timeout from outside HOME_COUNTRY || url,wiki.quadrantsec.com/bin/view/Main/5002397 5002398 || [COURIER] Authentication failure - Brute Force [5/5] || url,wiki.quadrantsec.com/bin/view/Main/5002398 5002399 || [COURIER-CORRELATED] Logout/disconnect after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002399 5002400 || [COURIER-CORRELATED] User login after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002400 5002401 || [COURIER-CORRELATED] Timeout after suspicious activity || url,wiki.quadrantsec.com/bin/view/Main/5002401 5002402 || [WINDOWS-MSSQL] Login Failure from non-trusted connection - Brute force [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002402 5002403 || [WINDOWS-AUTH] Security enabled global group created || url,wiki.quadrantsec.com/bin/view/Main/5002403 5002404 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002404 5002405 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002405 5002406 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002406 5002407 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002407 5002408 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002408 5002409 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002409 5002410 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002410 5002411 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002411 5002412 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002412 5002413 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002413 5002414 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002414 5002415 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002415 5002416 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002416 5002417 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002417 5002418 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002418 5002419 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002419 5002420 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002420 5002421 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002421 5002422 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002422 5002423 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002423 5002424 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002424 5002425 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002425 5002426 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002426 5002427 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002427 5002428 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002428 5002429 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002429 5002430 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002430 5002431 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002431 5002432 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002432 5002433 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002433 5002434 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002434 5002435 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002435 5002436 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002436 5002437 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002437 5002438 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002438 5002439 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002439 5002440 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002440 5002441 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002441 5002442 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002442 5002443 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002443 5002444 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002444 5002445 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002445 5002446 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002446 5002447 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002447 5002448 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002448 5002449 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002449 5002450 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002450 5002451 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002451 5002452 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002452 5002453 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002453 5002454 || [WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002454 5002455 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002455 5002456 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Correct but Incorrect Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002456 5002457 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Is Locked Out [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002457 5002458 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Account Disabled [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002458 5002459 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002459 5002460 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Account [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002460 5002461 || [WINDOWS-BLUEDOT] Login failure from a Bluedot listed IP - Expired Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002461 5002462 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002462 5002463 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002463 5002464 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002464 5002465 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002465 5002466 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002466 5002467 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002467 5002468 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002468 5002469 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002469 5002470 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002470 5002471 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002471 5002472 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002472 5002473 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002473 5002475 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002475 5002476 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002476 5002477 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002477 5002478 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002478 5002479 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002479 5002480 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002480 5002481 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002481 5002482 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002482 5002483 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002483 5002484 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002484 5002485 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002485 5002486 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002486 5002487 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002487 5002488 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002488 5002489 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002489 5002490 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002490 5002491 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002491 5002492 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002492 5002493 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002493 5002494 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002494 5002495 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002495 5002496 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002496 5002497 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002497 5002498 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002498 5002499 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002499 5002500 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002500 5002501 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002501 5002502 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002502 5002503 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002503 5002504 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002504 5002505 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002505 5002506 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002506 5002507 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002507 5002508 || [WINDOWS-BLUEDOT] Windows DC Login failure from a Bluedot listed IP - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002508 5002509 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002509 5002510 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002510 5002511 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002511 5002512 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002512 5002513 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002513 5002514 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002514 5002515 || [WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002515 5002516 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002516 5002517 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002517 5002518 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002518 5002519 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002519 5002520 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002520 5002521 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002521 5002522 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002522 5002523 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002523 5002524 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002524 5002525 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002525 5002526 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002526 5002527 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002527 5002528 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002528 5002529 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002529 5002530 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002530 5002531 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002531 5002532 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002532 5002533 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002533 5002534 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002534 5002535 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002535 5002536 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002536 5002537 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002537 5002538 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002538 5002539 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002539 5002540 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002540 5002541 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002541 5002542 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002542 5002543 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002543 5002544 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002544 5002545 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002545 5002546 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002546 5002547 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002547 5002548 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002548 5002549 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002549 5002550 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002550 5002551 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002551 5002552 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002552 5002553 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002553 5002554 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002554 5002555 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002555 5002556 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002556 5002557 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002557 5002558 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002558 5002559 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002559 5002560 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002560 5002561 || [WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002561 5002562 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002562 5002563 || [WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1] || url,wiki.quadrantsec.com/bin/view/Main/5002563 5002564 || [WINDOWS-MISC] Unable to log events to security log || url,wiki.quadrantsec.com/bin/view/Main/5002564 5002565 || [BASH] root password change attempt || url,wiki.quadrantsec.com/bin/view/Main/5002565 5002566 || [SU] root password change attempt || url,wiki.quadrantsec.com/bin/view/Main/5002566 5002567 || [CYLANCE] AuditLog - Device Edit || url,wiki.quadrantsec.com/bin/view/Main/5002567 5002568 || [CYLANCE] AuditLog - Login Success || url,wiki.quadrantsec.com/bin/view/Main/5002568 5002569 || [CYLANCE] AuditLog - Syslog Settings Saved || url,wiki.quadrantsec.com/bin/view/Main/5002569 5002570 || [CYLANCE] AuditLog - Zone Add Device || url,wiki.quadrantsec.com/bin/view/Main/5002570 5002571 || [CYLANCE] Device - Action Taken || url,wiki.quadrantsec.com/bin/view/Main/5002571 5002572 || [CYLANCE] Device - Registration || url,wiki.quadrantsec.com/bin/view/Main/5002572 5002573 || [CYLANCE] Device - System Security || url,wiki.quadrantsec.com/bin/view/Main/5002573 5002574 || [CYLANCE] ExploitAttempt - Blocked || url,wiki.quadrantsec.com/bin/view/Main/5002574 5002575 || [CYLANCE] ExploitAttempt - No Action Taken || url,wiki.quadrantsec.com/bin/view/Main/5002575 5002576 || [CYLANCE] Threat - Changed || url,wiki.quadrantsec.com/bin/view/Main/5002576 5002577 || [CYLANCE] Threat - Found || url,wiki.quadrantsec.com/bin/view/Main/5002577 5002578 || [CYLANCE] Threat - Quarantined || url,wiki.quadrantsec.com/bin/view/Main/5002578 5002579 || [CYLANCE] Threat - Removed || url,wiki.quadrantsec.com/bin/view/Main/5002579 6000510 || [OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec) 6000513 || [OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec) 6000518 || [OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec) 6000531 || [OSSEC] Level 7 - Partition usage reached 100% (disk space monitor). (ossec_rules.xml:ossec) 6000550 || [OSSEC] Level 7 - Integrity checksum changed. (ossec_rules.xml:ossec) 6000551 || [OSSEC] Level 7 - Integrity checksum changed again (2nd time). (ossec_rules.xml:ossec) 6000552 || [OSSEC] Level 7 - Integrity checksum changed again (3rd time). (ossec_rules.xml:ossec) 6000553 || [OSSEC] Level 7 - File deleted. Unable to retrieve checksum. (ossec_rules.xml:ossec) 6000555 || [OSSEC] Level 7 - Integrity checksum for agentless device changed. (ossec_rules.xml:ossec) 6000580 || [OSSEC] Level 8 - Host information changed. (ossec_rules.xml:ossec) 6000581 || [OSSEC] Level 8 - Host information added. (ossec_rules.xml:ossec) 6000592 || [OSSEC] Level 8 - Log file size reduced. (ossec_rules.xml:ossec) 6000593 || [OSSEC] Level 9 - Microsoft Event log cleared. (ossec_rules.xml:ossec) 6001003 || [OSSEC] Level 13 - Non standard syslog message (size too large). (syslog_rules.xml:syslog,errors) 6001004 || [OSSEC] Level 5 - Syslogd exiting (logging stopped). (syslog_rules.xml:syslog,errors) 6001005 || [OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors) 6001006 || [OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors) 6001007 || [OSSEC] Level 7 - File system full. (syslog_rules.xml:syslog,errors) 6001008 || [OSSEC] Level 5 - Process exiting (killed). (syslog_rules.xml:syslog,errors) 6002301 || [OSSEC] Level 10 - Excessive number connections to a service. (syslog_rules.xml:syslog,xinetd) 6002551 || [OSSEC] Level 10 - Connection to rshd from unprivileged port. Possible network scan. (syslog_rules.xml:syslog,access_control) 6002832 || [OSSEC] Level 5 - Crontab entry changed. (syslog_rules.xml:syslog,cron) 6002833 || [OSSEC] Level 8 - Root's crontab entry changed. (syslog_rules.xml:syslog,cron) 6002834 || [OSSEC] Level 5 - Crontab opened for editing. (syslog_rules.xml:syslog,cron) 6002902 || [OSSEC] Level 7 - New dpkg (Debian Package) installed. (syslog_rules.xml:syslog,dpkg) 6002903 || [OSSEC] Level 7 - Dpkg (Debian Package) removed. (syslog_rules.xml:syslog,dpkg) 6002932 || [OSSEC] Level 7 - New Yum package installed. (syslog_rules.xml:syslog,yum) 6002933 || [OSSEC] Level 7 - Yum package updated. (syslog_rules.xml:syslog,yum) 6002934 || [OSSEC] Level 7 - Yum package deleted. (syslog_rules.xml:syslog,yum) 6003102 || [OSSEC] Level 5 - Sender domain does not have any valid MX record (Requested action aborted). (sendmail_rules.xml:syslog,sendmail) 6003103 || [OSSEC] Level 6 - Rejected by access list (55x: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003104 || [OSSEC] Level 6 - Attepmt to use mail server as relay (550: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003105 || [OSSEC] Level 5 - Sender domain is not found (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003106 || [OSSEC] Level 5 - Sender address does not have domain (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail) 6003108 || [OSSEC] Level 6 - Sendmail rejected due to pre-greeting. (sendmail_rules.xml:syslog,sendmail) 6003109 || [OSSEC] Level 8 - Sendmail save mail panic. (sendmail_rules.xml:syslog,sendmail) 6003151 || [OSSEC] Level 10 - Sender domain has bogus MX record. It should not be sending e-mail. (sendmail_rules.xml:syslog,sendmail) 6003152 || [OSSEC] Level 6 - Multiple attempts to send e-mail from a previously rejected sender (access). (sendmail_rules.xml:syslog,sendmail) 6003153 || [OSSEC] Level 6 - Multiple relaying attempts of spam. (sendmail_rules.xml:syslog,sendmail) 6003154 || [OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (sendmail_rules.xml:syslog,sendmail) 6003155 || [OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender. (sendmail_rules.xml:syslog,sendmail) 6003156 || [OSSEC] Level 10 - Multiple rejected e-mails from same source ip. (sendmail_rules.xml:syslog,sendmail) 6003158 || [OSSEC] Level 10 - Multiple pre-greetings rejects. (sendmail_rules.xml:syslog,sendmail) 6003191 || [OSSEC] Level 6 - SMF-SAV sendmail milter unable to verify address (REJECTED). (sendmail_rules.xml:syslog,sendmail) 6003301 || [OSSEC] Level 6 - Attempt to use mail server as relay (client host rejected). (postfix_rules.xml:syslog,postfix) 6003302 || [OSSEC] Level 6 - Rejected by access list (Requested action not taken). (postfix_rules.xml:syslog,postfix) 6003303 || [OSSEC] Level 5 - Sender domain is not found (450: Requested mail action not taken). (postfix_rules.xml:syslog,postfix) 6003304 || [OSSEC] Level 5 - Improper use of SMTP command pipelining (503: Bad sequence of commands). (postfix_rules.xml:syslog,postfix) 6003305 || [OSSEC] Level 5 - Receipent address must contain FQDN (504: Command parameter not implemented). (postfix_rules.xml:syslog,postfix) 6003306 || [OSSEC] Level 6 - IP Address black-listed by anti-spam (blocked). (postfix_rules.xml:syslog,postfix) 6003330 || [OSSEC] Level 10 - Postfix process error. (postfix_rules.xml:syslog,postfix) 6003331 || [OSSEC] Level 10 - Postfix insufficient disk space error. (postfix_rules.xml:syslog,postfix) 6003332 || [OSSEC] Level 5 - Postfix SASL authentication failure. (postfix_rules.xml:syslog,postfix) 6003333 || [OSSEC] Level 7 - Postfix stopped. (postfix_rules.xml:syslog,postfix) 6003351 || [OSSEC] Level 6 - Multiple relaying attempts of spam. (postfix_rules.xml:syslog,postfix) 6003352 || [OSSEC] Level 6 - Multiple attempts to send e-mail from a rejected sender IP (access). (postfix_rules.xml:syslog,postfix) 6003353 || [OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (postfix_rules.xml:syslog,postfix) 6003354 || [OSSEC] Level 12 - Multiple misuse of SMTP service (bad sequence of commands). (postfix_rules.xml:syslog,postfix) 6003355 || [OSSEC] Level 10 - Multiple attempts to send e-mail to invalid recipient or from unknown sender domain. (postfix_rules.xml:syslog,postfix) 6003356 || [OSSEC] Level 10 - Multiple attempts to send e-mail from black-listed IP address (blocked). (postfix_rules.xml:syslog,postfix) 6003357 || [OSSEC] Level 10 - Multiple SASL authentication failures. (postfix_rules.xml:syslog,postfix) 6003601 || [OSSEC] Level 5 - Imapd user login failed. (imapd_rules.xml:syslog,imapd) 6003651 || [OSSEC] Level 10 - Multiple failed logins from same source ip. (imapd_rules.xml:syslog,imapd) 6003702 || [OSSEC] Level 5 - Mail Scanner spam detected. (mailscanner_rules.xml:syslog,mailscanner) 6003751 || [OSSEC] Level 6 - Multiple attempts of spam. (mailscanner_rules.xml:syslog,mailscanner) 6003851 || [OSSEC] Level 9 - Multiple e-mail attempts to an invalid account. (ms-exchange_rules.xml:ms,exchange) 6003852 || [OSSEC] Level 9 - Multiple e-mail 500 error code (spam). (ms-exchange_rules.xml:ms,exchange) 6003902 || [OSSEC] Level 5 - Courier (imap/pop3) authentication failed. (courier_rules.xml:syslog,courier) 6003910 || [OSSEC] Level 10 - Courier brute force (multiple failed logins). (courier_rules.xml:syslog,courier) 6003911 || [OSSEC] Level 10 - Multiple connection attempts from same source. (courier_rules.xml:syslog,courier) 6004101 || [OSSEC] Level 5 - Firewall drop event. (firewall_rules.xml:firewall) 6004151 || [OSSEC] Level 10 - Multiple Firewall drop events from same source. (firewall_rules.xml:firewall) 6004310 || [OSSEC] Level 5 - PIX alert message. (pix_rules.xml:syslog,pix) 6004311 || [OSSEC] Level 5 - PIX critical message. (pix_rules.xml:syslog,pix) 6004321 || [OSSEC] Level 9 - Failed login attempt at the PIX firewall. (pix_rules.xml:syslog,pix) 6004324 || [OSSEC] Level 9 - Password mismatch while running 'enable' on the PIX. (pix_rules.xml:syslog,pix) 6004325 || [OSSEC] Level 8 - ARP collision detected by the PIX. (pix_rules.xml:syslog,pix) 6004326 || [OSSEC] Level 8 - Attempt to connect from a blocked (shunned) IP. (pix_rules.xml:syslog,pix) 6004327 || [OSSEC] Level 8 - Connection limit exceeded. (pix_rules.xml:syslog,pix) 6004330 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004331 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004332 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004333 || [OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix) 6004334 || [OSSEC] Level 5 - AAA (VPN) authentication failed. (pix_rules.xml:syslog,pix) 6004336 || [OSSEC] Level 8 - AAA (VPN) user locked out. (pix_rules.xml:syslog,pix) 6004337 || [OSSEC] Level 8 - The PIX is disallowing new connections. (pix_rules.xml:syslog,pix) 6004338 || [OSSEC] Level 8 - Firewall failover pair communication problem. (pix_rules.xml:syslog,pix) 6004339 || [OSSEC] Level 8 - Firewall configuration deleted. (pix_rules.xml:syslog,pix) 6004340 || [OSSEC] Level 8 - Firewall configuration changed. (pix_rules.xml:syslog,pix) 6004342 || [OSSEC] Level 8 - User created or modified on the Firewall. (pix_rules.xml:syslog,pix) 6004380 || [OSSEC] Level 10 - Multiple PIX alert messages. (pix_rules.xml:syslog,pix) 6004381 || [OSSEC] Level 10 - Multiple PIX critical messages. (pix_rules.xml:syslog,pix) 6004382 || [OSSEC] Level 10 - Multiple PIX error messages. (pix_rules.xml:syslog,pix) 6004383 || [OSSEC] Level 10 - Multiple PIX warning messages. (pix_rules.xml:syslog,pix) 6004385 || [OSSEC] Level 10 - Multiple attack in progress messages. (pix_rules.xml:syslog,pix) 6004386 || [OSSEC] Level 10 - Nultiple AAA (VPN) authentication failures. (pix_rules.xml:syslog,pix) 6004503 || [OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw) 6004504 || [OSSEC] Level 5 - Netscreen informational message. (netscreenfw_rules.xml:netscreenfw) 6004505 || [OSSEC] Level 11 - Netscreen Erase sequence started. (netscreenfw_rules.xml:netscreenfw) 6004506 || [OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw) 6004507 || [OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw) 6004508 || [OSSEC] Level 8 - Firewall policy changed. (netscreenfw_rules.xml:netscreenfw) 6004509 || [OSSEC] Level 8 - Firewall configuration changed. (netscreenfw_rules.xml:netscreenfw) 6004513 || [OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw) 6004550 || [OSSEC] Level 10 - Multiple Netscreen critical messages from same source IP. (netscreenfw_rules.xml:netscreenfw) 6004551 || [OSSEC] Level 10 - Multiple Netscreen critical messages. (netscreenfw_rules.xml:netscreenfw) 6004552 || [OSSEC] Level 10 - Multiple Netscreen alert messages from same source IP. (netscreenfw_rules.xml:netscreenfw) 6004553 || [OSSEC] Level 10 - Multiple Netscreen alert messages. (netscreenfw_rules.xml:netscreenfw) 6004710 || [OSSEC] Level 9 - Cisco IOS emergency message. (cisco-ios_rules.xml:syslog,cisco_ios) 6004711 || [OSSEC] Level 5 - Cisco IOS alert message. (cisco-ios_rules.xml:syslog,cisco_ios) 6004712 || [OSSEC] Level 5 - Cisco IOS critical message. (cisco-ios_rules.xml:syslog,cisco_ios) 6004724 || [OSSEC] Level 9 - Failed login to the router. (cisco-ios_rules.xml:syslog,cisco_ios) 6004801 || [OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall) 6004802 || [OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall) 6004811 || [OSSEC] Level 9 - Firewall authentication failure. (sonicwall_rules.xml:syslog,sonicwall) 6004850 || [OSSEC] Level 10 - Multiple firewall warning messages. (sonicwall_rules.xml:syslog,sonicwall) 6004851 || [OSSEC] Level 10 - Multiple firewall error messages. (sonicwall_rules.xml:syslog,sonicwall) 6005103 || [OSSEC] Level 9 - Error message from the kernel. Ping of death attack. (syslog_rules.xml:syslog,linuxkernel) 6005104 || [OSSEC] Level 8 - Interface entered in promiscuous(sniffing) mode. (syslog_rules.xml:syslog,linuxkernel) 6005108 || [OSSEC] Level 12 - System running out of memory. Availability of the system is in risk. (syslog_rules.xml:syslog,linuxkernel) 6005113 || [OSSEC] Level 7 - System is shutting down. (syslog_rules.xml:syslog,linuxkernel) 6005130 || [OSSEC] Level 7 - Monitor ADSL line is down. (syslog_rules.xml:syslog,linuxkernel) 6005301 || [OSSEC] Level 5 - User missed the password to change UID (user id). (syslog_rules.xml:syslog, su) 6005302 || [OSSEC] Level 9 - User missed the password to change UID to root. (syslog_rules.xml:syslog, su) 6005401 || [OSSEC] Level 10 - Three failed attempts to run sudo (syslog_rules.xml:syslog,sudo) 6005503 || [OSSEC] Level 5 - User login failed. (pam_rules.xml:pam,syslog) 6005504 || [OSSEC] Level 5 - Attempt to login with an invalid user. (pam_rules.xml:pam,syslog) 6005551 || [OSSEC] Level 10 - Multiple failed logins in a small period of time. (pam_rules.xml:pam,syslog) 6005601 || [OSSEC] Level 5 - Connection refused by TCP Wrappers. (telnetd_rules.xml:syslog,telnetd) 6005603 || [OSSEC] Level 5 - Remote host invalid connection. (telnetd_rules.xml:syslog,telnetd) 6005604 || [OSSEC] Level 5 - Reverse lookup error (bad hostname config). (telnetd_rules.xml:syslog,telnetd) 6005631 || [OSSEC] Level 10 - Multiple connection attempts from same source (possible scan). (telnetd_rules.xml:syslog,telnetd) 6005701 || [OSSEC] Level 8 - Possible attack on the ssh server (or version gathering). (sshd_rules.xml:syslog,sshd) 6005702 || [OSSEC] Level 5 - Reverse lookup error (bad ISP or attack). (sshd_rules.xml:syslog,sshd) 6005703 || [OSSEC] Level 10 - Possible breakin attempt (high number of reverse lookup errors). (sshd_rules.xml:syslog,sshd) 6005705 || [OSSEC] Level 10 - Possible scan or breakin attempt (high number of login timeouts). (sshd_rules.xml:syslog,sshd) 6005706 || [OSSEC] Level 6 - SSH insecure connection attempt (scan). (sshd_rules.xml:syslog,sshd) 6005707 || [OSSEC] Level 14 - OpenSSH challenge-response exploit. (sshd_rules.xml:syslog,sshd) 6005710 || [OSSEC] Level 5 - Attempt to login using a non-existent user (sshd_rules.xml:syslog,sshd) 6005712 || [OSSEC] Level 10 - SSHD brute force trying to get access to the system. (sshd_rules.xml:syslog,sshd) 6005713 || [OSSEC] Level 6 - Corrupted bytes on SSHD. (sshd_rules.xml:syslog,sshd) 6005714 || [OSSEC] Level 14 - SSH CRC-32 Compensation attack (sshd_rules.xml:syslog,sshd) 6005716 || [OSSEC] Level 5 - SSHD authentication failed. (sshd_rules.xml:syslog,sshd) 6005718 || [OSSEC] Level 5 - Attempt to login using a denied user. (sshd_rules.xml:syslog,sshd) 6005719 || [OSSEC] Level 10 - Multiple access attempts using a denied user. (sshd_rules.xml:syslog,sshd) 6005720 || [OSSEC] Level 10 - Multiple SSHD authentication failures. (sshd_rules.xml:syslog,sshd) 6005901 || [OSSEC] Level 8 - New group added to the system (syslog_rules.xml:syslog,adduser) 6005902 || [OSSEC] Level 8 - New user added to the system (syslog_rules.xml:syslog,adduser) 6005904 || [OSSEC] Level 8 - Information from the user was changed (syslog_rules.xml:syslog,adduser) 6006101 || [OSSEC] Level 5 - Auditing session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm) 6006104 || [OSSEC] Level 5 - Login session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm) 6006106 || [OSSEC] Level 5 - User failed to change UID (user id). (solaris_bsm_rules.xml:syslog,solaris_bsm) 6006210 || [OSSEC] Level 5 - Login session failed. (asterisk_rules.xml:syslog,asterisk) 6006211 || [OSSEC] Level 5 - Login session failed (invalid user). (asterisk_rules.xml:syslog,asterisk) 6006212 || [OSSEC] Level 5 - Login session failed (invalid extension). (asterisk_rules.xml:syslog,asterisk) 6006250 || [OSSEC] Level 10 - Multiple failed logins (user enumeration in process). (asterisk_rules.xml:syslog,asterisk) 6006251 || [OSSEC] Level 10 - Multiple failed logins. (asterisk_rules.xml:syslog,asterisk) 6006252 || [OSSEC] Level 10 - Extension enumeration. (asterisk_rules.xml:syslog,asterisk) 6006303 || [OSSEC] Level 10 - The log was temporarily paused due to low disk space. (ms_dhcp_rules.xml:windows,dhcp) 6006308 || [OSSEC] Level 12 - A lease request could not be satisfied because the scope's address pool was exhausted. (ms_dhcp_rules.xml:windows,dhcp) 6006309 || [OSSEC] Level 7 - A lease was denied. (ms_dhcp_rules.xml:windows,dhcp) 6006314 || [OSSEC] Level 10 - A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. (ms_dhcp_rules.xml:windows,dhcp) 6006319 || [OSSEC] Level 7 - DNS update failed. (ms_dhcp_rules.xml:windows,dhcp) 6006321 || [OSSEC] Level 12 - Codes above 50 are used for Rogue Server Detection information. (ms_dhcp_rules.xml:windows,dhcp) 6006323 || [OSSEC] Level 12 - Packet dropped due to NAP policy. (ms_dhcp_rules.xml:windows,dhcp) 6006357 || [OSSEC] Level 7 - DHCP Decline. (ms_dhcp_rules.xml:windows,dhcp) 6006360 || [OSSEC] Level 12 - Scope Full. (ms_dhcp_rules.xml:windows,dhcp) 6006362 || [OSSEC] Level 7 - Stopped. (ms_dhcp_rules.xml:windows,dhcp) 6006363 || [OSSEC] Level 10 - Audit log paused. (ms_dhcp_rules.xml:windows,dhcp) 6006364 || [OSSEC] Level 7 - DHCP Log File. (ms_dhcp_rules.xml:windows,dhcp) 6006365 || [OSSEC] Level 7 - Bad Address. (ms_dhcp_rules.xml:windows,dhcp) 6006373 || [OSSEC] Level 12 - Service not authorized in AD. (ms_dhcp_rules.xml:windows,dhcp) 6006376 || [OSSEC] Level 12 - Service has not determined if it is authorized in AD. (ms_dhcp_rules.xml:windows,dhcp) 6007101 || [OSSEC] Level 8 - Problems with the tripwire checking (syslog_rules.xml:syslog,tripwire) 6007202 || [OSSEC] Level 9 - Arpwatch "flip flop" message. IP address/MAC relation changing too often. (arpwatch_rules.xml:syslog,arpwatch) 6007204 || [OSSEC] Level 9 - Changed network interface for ip address. (arpwatch_rules.xml:syslog,arpwatch) 6007310 || [OSSEC] Level 9 - Virus detected. (symantec-av_rules.xml:symantec) 6007410 || [OSSEC] Level 5 - Login failed accessing the web proxy. (symantec-ws_rules.xml:symantec) 6007504 || [OSSEC] Level 12 - McAfee Windows AV - Virus detected and not removed. (mcafee_av_rules.xml:mcafee) 6007505 || [OSSEC] Level 7 - McAfee Windows AV - Virus detected and properly removed. (mcafee_av_rules.xml:mcafee) 6007506 || [OSSEC] Level 7 - McAfee Windows AV - Virus detected and file will be deleted. (mcafee_av_rules.xml:mcafee) 6007509 || [OSSEC] Level 7 - McAfee Windows AV - Virus scan cancelled. (mcafee_av_rules.xml:mcafee) 6007510 || [OSSEC] Level 5 - McAfee Windows AV - Virus scan cancelled due to shutdown. (mcafee_av_rules.xml:mcafee) 6007512 || [OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update failed. (mcafee_av_rules.xml:mcafee) 6007513 || [OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update cancelled. (mcafee_av_rules.xml:mcafee) 6007514 || [OSSEC] Level 5 - McAfee Windows AV - EICAR test file detected. (mcafee_av_rules.xml:mcafee) 6007550 || [OSSEC] Level 10 - Multiple McAfee AV warning events. (mcafee_av_rules.xml:mcafee) 6007610 || [OSSEC] Level 5 - Virus detected and cleaned/quarantined/remved (trend-osce_rules.xml:trend_micro,ocse) 6007611 || [OSSEC] Level 9 - Virus detected and unable to clean up. (trend-osce_rules.xml:trend_micro,ocse) 6007613 || [OSSEC] Level 5 - Virus scan passed by found potential security risk. (trend-osce_rules.xml:trend_micro,ocse) 6007710 || [OSSEC] Level 12 - Microsoft Security Essentials - Virus detected, but unable to remove. (ms-se_rules.xml:windows,mse) 6007711 || [OSSEC] Level 7 - Microsoft Security Essentials - Virus detected and properly removed. (ms-se_rules.xml:windows,mse) 6007712 || [OSSEC] Level 7 - Microsoft Security Essentials - Virus detected. (ms-se_rules.xml:windows,mse) 6007731 || [OSSEC] Level 5 - Microsoft Security Essentials - EICAR test file detected. (ms-se_rules.xml:windows,mse) 6007750 || [OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse) 6007751 || [OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse) 6009303 || [OSSEC] Level 5 - Horde IMP error message. (hordeimp_rules.xml:syslog,hordeimp) 6009304 || [OSSEC] Level 9 - Horde IMP emergency message. (hordeimp_rules.xml:syslog,hordeimp) 6009306 || [OSSEC] Level 5 - Horde IMP Failed login. (hordeimp_rules.xml:syslog,hordeimp) 6009351 || [OSSEC] Level 10 - Horde brute force (multiple failed logins). (hordeimp_rules.xml:syslog,hordeimp) 6009352 || [OSSEC] Level 10 - Multiple Horde emergency messages. (hordeimp_rules.xml:syslog,hordeimp) 6009401 || [OSSEC] Level 5 - Roundcube authentication failed. (roundcube_rules.xml:syslog,roundcube) 6009501 || [OSSEC] Level 5 - Wordpress authentication failed. (wordpress_rules.xml:syslog,wordpress) 6009505 || [OSSEC] Level 7 - Wordpress Comment Flood Attempt. (wordpress_rules.xml:syslog,wordpress) 6009510 || [OSSEC] Level 7 - Attack against Wordpress detected. (wordpress_rules.xml:syslog,wordpress) 6009551 || [OSSEC] Level 10 - Multiple wordpress authentication failures. (wordpress_rules.xml:syslog,wordpress) 6009610 || [OSSEC] Level 5 - Compaq Insight Manager authentication failure. (cimserver_rules.xml:syslog,cimserver) 6009611 || [OSSEC] Level 12 - Compaq Insight Manager stopped. (cimserver_rules.xml:syslog,cimserver) 6009702 || [OSSEC] Level 5 - Dovecot Authentication Failed. (dovecot_rules.xml:dovecot) 6009705 || [OSSEC] Level 5 - Dovecot Invalid User Login Attempt. (dovecot_rules.xml:dovecot) 6009707 || [OSSEC] Level 5 - Dovecot Aborted Login. (dovecot_rules.xml:dovecot) 6009750 || [OSSEC] Level 10 - Dovecot Multiple Authentication Failures. (dovecot_rules.xml:dovecot) 6009751 || [OSSEC] Level 10 - Dovecot brute force attack (multiple auth failures). (dovecot_rules.xml:dovecot) 6009801 || [OSSEC] Level 5 - Login failed accessing the pop3 server. (vmpop3d_rules.xml:syslog,vm-pop3d) 6009820 || [OSSEC] Level 10 - POP3 brute force (multiple failed logins). (vmpop3d_rules.xml:syslog,vm-pop3d) 6009901 || [OSSEC] Level 5 - Login failed for vpopmail. (vpopmail_rules.xml:syslog,vpopmail) 6009902 || [OSSEC] Level 5 - Attempt to login to vpopmail with invalid username. (vpopmail_rules.xml:syslog,vpopmail) 6009903 || [OSSEC] Level 5 - Attempt to login to vpopmail with empty password. (vpopmail_rules.xml:syslog,vpopmail) 6009951 || [OSSEC] Level 10 - Vpopmail brute force (multiple failed logins). (vpopmail_rules.xml:syslog,vpopmail) 6009952 || [OSSEC] Level 10 - Vpopmail brute force (email harvesting). (vpopmail_rules.xml:syslog,vpopmail) 6009953 || [OSSEC] Level 10 - VPOPMAIL brute force (empty password). (vpopmail_rules.xml:syslog,vpopmail) 6011101 || [OSSEC] Level 5 - FTP connection refused. (ftpd_rules.xml:syslog,ftpd) 6011107 || [OSSEC] Level 5 - Connection blocked by Tcp Wrappers. (ftpd_rules.xml:syslog,ftpd) 6011108 || [OSSEC] Level 5 - Reverse lookup error (bad ISP config). (ftpd_rules.xml:syslog,ftpd) 6011109 || [OSSEC] Level 10 - Multiple FTP failed login attempts. (ftpd_rules.xml:syslog,ftpd) 6011111 || [OSSEC] Level 9 - Attempt to login with disabled account. (ftpd_rules.xml:syslog,ftpd) 6011112 || [OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd) 6011113 || [OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd) 6011203 || [OSSEC] Level 5 - Attempt to login using a non-existent user. (proftpd_rules.xml:syslog,proftpd) 6011204 || [OSSEC] Level 5 - Login failed accessing the FTP server (proftpd_rules.xml:syslog,proftpd) 6011206 || [OSSEC] Level 5 - Connection denied by ProFTPD configuration. (proftpd_rules.xml:syslog,proftpd) 6011207 || [OSSEC] Level 5 - Connection refused by TCP Wrappers. (proftpd_rules.xml:syslog,proftpd) 6011209 || [OSSEC] Level 14 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. (proftpd_rules.xml:syslog,proftpd) 6011210 || [OSSEC] Level 10 - Multiple failed login attempts. (proftpd_rules.xml:syslog,proftpd) 6011212 || [OSSEC] Level 5 - Reverse lookup error (bad ISP config). (proftpd_rules.xml:syslog,proftpd) 6011218 || [OSSEC] Level 12 - FTP process crashed. (proftpd_rules.xml:syslog,proftpd) 6011219 || [OSSEC] Level 12 - FTP server Buffer overflow attempt. (proftpd_rules.xml:syslog,proftpd) 6011251 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (proftpd_rules.xml:syslog,proftpd) 6011252 || [OSSEC] Level 10 - Multiple connection attempts from same source. (proftpd_rules.xml:syslog,proftpd) 6011253 || [OSSEC] Level 10 - Multiple timed out logins from same source. (proftpd_rules.xml:syslog,proftpd) 6011302 || [OSSEC] Level 5 - FTP Authentication failed. (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011305 || [OSSEC] Level 5 - Attempt to access invalid directory (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011306 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011307 || [OSSEC] Level 10 - Multiple connection attempts from same source. (pure-ftpd_rules.xml:syslog,pure-ftpd) 6011403 || [OSSEC] Level 5 - Login failed accessing the FTP server. (vsftpd_rules.xml:syslog,vsftpd) 6011451 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (vsftpd_rules.xml:syslog,vsftpd) 6011452 || [OSSEC] Level 10 - Multiple FTP connection attempts from same source IP. (vsftpd_rules.xml:syslog,vsftpd) 6011502 || [OSSEC] Level 5 - FTP Authentication failed. (ms_ftpd_rules.xml:syslog,msftp) 6011510 || [OSSEC] Level 10 - FTP brute force (multiple failed logins). (ms_ftpd_rules.xml:syslog,msftp) 6011511 || [OSSEC] Level 10 - Multiple connection attempts from same source. (ms_ftpd_rules.xml:syslog,msftp) 6011512 || [OSSEC] Level 10 - Multiple FTP errors from same source. (ms_ftpd_rules.xml:syslog,msftp) 6012101 || [OSSEC] Level 12 - Invalid DNS packet. Possibility of attack. (named_rules.xml:syslog,named) 6012102 || [OSSEC] Level 9 - Failed attempt to perform a zone transfer. (named_rules.xml:syslog,named) 6012109 || [OSSEC] Level 12 - Named fatal error. DNS service going down. (named_rules.xml:syslog,named) 6012110 || [OSSEC] Level 8 - Serial number from master is lower than stored. (named_rules.xml:syslog,named) 6012111 || [OSSEC] Level 8 - Unable to perform zone transfer. (named_rules.xml:syslog,named) 6013102 || [OSSEC] Level 5 - Samba connection denied. (smbd_rules.xml:syslog,smbd) 6013104 || [OSSEC] Level 5 - User action denied by configuration. (smbd_rules.xml:syslog,smbd) 6014101 || [OSSEC] Level 5 - VPN authentication failed. (racoon_rules.xml:syslog,racoon) 6014151 || [OSSEC] Level 9 - Multiple failed VPN logins. (racoon_rules.xml:syslog,racoon) 6014202 || [OSSEC] Level 5 - VPN authentication failed. (vpn_concentrator_rules.xml:syslog,cisco_vpn) 6014251 || [OSSEC] Level 10 - Multiple VPN authentication failures. (vpn_concentrator_rules.xml:syslog,cisco_vpn) 6017101 || [OSSEC] Level 9 - Successful login during non-business hours. (policy_rules.xml:policy_violation) 6017102 || [OSSEC] Level 9 - Successful login during weekend. (policy_rules.xml:policy_violation) 6018103 || [OSSEC] Level 5 - Windows error event. (msauth_rules.xml:windows) 6018106 || [OSSEC] Level 5 - Windows Logon Failure. (msauth_rules.xml:windows) 6018110 || [OSSEC] Level 8 - User account enabled or created. (msauth_rules.xml:windows) 6018111 || [OSSEC] Level 8 - User account changed. (msauth_rules.xml:windows) 6018112 || [OSSEC] Level 8 - User account disabled or deleted. (msauth_rules.xml:windows) 6018113 || [OSSEC] Level 8 - Windows Audit Policy changed. (msauth_rules.xml:windows) 6018114 || [OSSEC] Level 5 - Group Account Changed (msauth_rules.xml:windows) 6018115 || [OSSEC] Level 8 - General account database changed. (msauth_rules.xml:windows) 6018116 || [OSSEC] Level 9 - User account locked out (multiple login errors). (msauth_rules.xml:windows) 6018117 || [OSSEC] Level 7 - Windows is shutting down. (msauth_rules.xml:windows) 6018118 || [OSSEC] Level 9 - Windows audit log was cleared. (msauth_rules.xml:windows) 6018125 || [OSSEC] Level 5 - Remote access login failure. (msauth_rules.xml:windows) 6018127 || [OSSEC] Level 8 - Computer account changed/deleted. (msauth_rules.xml:windows) 6018128 || [OSSEC] Level 8 - Group account added/changed/deleted. (msauth_rules.xml:windows) 6018129 || [OSSEC] Level 8 - Windows file system full. (msauth_rules.xml:windows) 6018130 || [OSSEC] Level 5 - Logon Failure - Unknown user or bad password. (msauth_rules.xml:windows) 6018131 || [OSSEC] Level 5 - Logon Failure - Account logon time restriction violation. (msauth_rules.xml:windows) 6018132 || [OSSEC] Level 5 - Logon Failure - Account currently disabled. (msauth_rules.xml:windows) 6018133 || [OSSEC] Level 5 - Logon Failure - Specified account expired. (msauth_rules.xml:windows) 6018134 || [OSSEC] Level 7 - Logon Failure - User not allowed to login at this computer. (msauth_rules.xml:windows) 6018135 || [OSSEC] Level 5 - Logon Failure - User not granted logon type. (msauth_rules.xml:windows) 6018136 || [OSSEC] Level 5 - Logon Failure - Account's password expired. (msauth_rules.xml:windows) 6018137 || [OSSEC] Level 5 - Logon Failure - Internal error. (msauth_rules.xml:windows) 6018138 || [OSSEC] Level 7 - Logon Failure - Account locked out. (msauth_rules.xml:windows) 6018139 || [OSSEC] Level 5 - Windows DC Logon Failure. (msauth_rules.xml:windows) 6018140 || [OSSEC] Level 7 - System time changed. (msauth_rules.xml:windows) 6018141 || [OSSEC] Level 7 - Unexpected Windows shutdown. (msauth_rules.xml:windows) 6018142 || [OSSEC] Level 5 - User account unlocked. (msauth_rules.xml:windows) 6018143 || [OSSEC] Level 8 - Security enabled group created. (msauth_rules.xml:windows) 6018144 || [OSSEC] Level 8 - Security enabled group deleted. (msauth_rules.xml:windows) 6018146 || [OSSEC] Level 5 - Application Uninstalled. (msauth_rules.xml:windows) 6018147 || [OSSEC] Level 5 - Application Installed. (msauth_rules.xml:windows) 6018151 || [OSSEC] Level 10 - Multiple failed attempts to perform a privileged operation by the same user. (msauth_rules.xml:windows) 6018152 || [OSSEC] Level 10 - Multiple Windows Logon Failures. (msauth_rules.xml:windows) 6018153 || [OSSEC] Level 10 - Multiple Windows audit failure events. (msauth_rules.xml:windows) 6018154 || [OSSEC] Level 10 - Multiple Windows error events. (msauth_rules.xml:windows) 6018155 || [OSSEC] Level 10 - Multiple Windows warning events. (msauth_rules.xml:windows) 6018156 || [OSSEC] Level 10 - Multiple remote access login failures. (msauth_rules.xml:windows) 6018170 || [OSSEC] Level 10 - Windows DC integrity check on decrypted field failed. (msauth_rules.xml:windows) 6018171 || [OSSEC] Level 10 - Windows DC - Possible replay attack. (msauth_rules.xml:windows) 6018172 || [OSSEC] Level 7 - Windows DC - Clock skew too great. (msauth_rules.xml:windows) 6018180 || [OSSEC] Level 5 - MS SQL Server Logon Failure. (msauth_rules.xml:windows) 6018200 || [OSSEC] Level 5 - Group Account Created (msauth_rules.xml:windows) 6018201 || [OSSEC] Level 5 - Group Account Deleted (msauth_rules.xml:windows) 6018202 || [OSSEC] Level 5 - Security Enabled Global Group Created (msauth_rules.xml:windows) 6018203 || [OSSEC] Level 5 - Security Enabled Global Group Member Added (msauth_rules.xml:windows) 6018204 || [OSSEC] Level 5 - Security Enabled Global Group Member Removed (msauth_rules.xml:windows) 6018205 || [OSSEC] Level 5 - Security Enabled Global Group Deleted (msauth_rules.xml:windows) 6018206 || [OSSEC] Level 5 - Security Enabled Local Group Created (msauth_rules.xml:windows) 6018207 || [OSSEC] Level 5 - Security Enabled Local Group Member Added (msauth_rules.xml:windows) 6018208 || [OSSEC] Level 5 - Security Enabled Local Group Member Removed (msauth_rules.xml:windows) 6018209 || [OSSEC] Level 5 - Security Enabled Local Group Deleted (msauth_rules.xml:windows) 6018210 || [OSSEC] Level 5 - Security Enabled Local Group Changed (msauth_rules.xml:windows) 6018211 || [OSSEC] Level 5 - Security Enabled Global Group Changed (msauth_rules.xml:windows) 6018212 || [OSSEC] Level 5 - Security Enabled Universal Group Created (msauth_rules.xml:windows) 6018213 || [OSSEC] Level 5 - Security Enabled Universal Group Changed (msauth_rules.xml:windows) 6018214 || [OSSEC] Level 5 - Security Enabled Universal Group Member Added (msauth_rules.xml:windows) 6018215 || [OSSEC] Level 5 - Security Enabled Universal Group Member Removed (msauth_rules.xml:windows) 6018216 || [OSSEC] Level 5 - Security Enabled Universal Group Deleted (msauth_rules.xml:windows) 6018217 || [OSSEC] Level 12 - Administrators Group Changed (msauth_rules.xml:windows) 6018218 || [OSSEC] Level 5 - Everyone Group Changed (msauth_rules.xml:windows) 6018219 || [OSSEC] Level 12 - Enterprise Domain Controllers Group Changed (msauth_rules.xml:windows) 6018220 || [OSSEC] Level 5 - Authenticated Users Group Changed (msauth_rules.xml:windows) 6018221 || [OSSEC] Level 5 - Terminal Server Users Group Changed (msauth_rules.xml:windows) 6018222 || [OSSEC] Level 12 - Domain Admins Group Changed (msauth_rules.xml:windows) 6018223 || [OSSEC] Level 5 - Domain Users Group Changed (msauth_rules.xml:windows) 6018225 || [OSSEC] Level 12 - Domain Guests Group Changed (msauth_rules.xml:windows) 6018226 || [OSSEC] Level 5 - Domain Computers Group Changed (msauth_rules.xml:windows) 6018227 || [OSSEC] Level 12 - Domain Controllers Group Changed (msauth_rules.xml:windows) 6018228 || [OSSEC] Level 10 - Cert Publishers Group Changed (msauth_rules.xml:windows) 6018229 || [OSSEC] Level 12 - Schema Admins Group Changed (msauth_rules.xml:windows) 6018230 || [OSSEC] Level 12 - Enterprise Admins Group Changed (msauth_rules.xml:windows) 6018231 || [OSSEC] Level 10 - Group Policy Creator Owners Group Changed (msauth_rules.xml:windows) 6018232 || [OSSEC] Level 10 - RAS and IAS Servers Group Changed (msauth_rules.xml:windows) 6018233 || [OSSEC] Level 5 - Users Group Changed (msauth_rules.xml:windows) 6018234 || [OSSEC] Level 12 - Guests Group Changed (msauth_rules.xml:windows) 6018235 || [OSSEC] Level 10 - Power Users Group Changed (msauth_rules.xml:windows) 6018236 || [OSSEC] Level 10 - Account Operators Group Changed (msauth_rules.xml:windows) 6018237 || [OSSEC] Level 10 - Server Operators Group Changed (msauth_rules.xml:windows) 6018238 || [OSSEC] Level 8 - Print Operators Group Changed (msauth_rules.xml:windows) 6018239 || [OSSEC] Level 12 - Backup Operators Group Changed (msauth_rules.xml:windows) 6018240 || [OSSEC] Level 10 - Replicators Group Changed (msauth_rules.xml:windows) 6018241 || [OSSEC] Level 8 - Pre-Windows 2000 Compatible Access Group Changed (msauth_rules.xml:windows) 6018242 || [OSSEC] Level 10 - Remote Desktop Users Group Changed (msauth_rules.xml:windows) 6018243 || [OSSEC] Level 10 - Network Configuration Operators Group Changed (msauth_rules.xml:windows) 6018244 || [OSSEC] Level 10 - Incoming Forest Trust Builders Group Changed (msauth_rules.xml:windows) 6018245 || [OSSEC] Level 8 - Performance Monitor Users Group Changed (msauth_rules.xml:windows) 6018246 || [OSSEC] Level 8 - Performance Log Users Group Changed (msauth_rules.xml:windows) 6018247 || [OSSEC] Level 8 - Windows Authorization Access Group Changed (msauth_rules.xml:windows) 6018248 || [OSSEC] Level 8 - Terminal Server License Servers Group Changed (msauth_rules.xml:windows) 6018249 || [OSSEC] Level 8 - Distributed COM Users Group Changed (msauth_rules.xml:windows) 6018250 || [OSSEC] Level 12 - Enterprise Read-only Domain Controllers Group Changed (msauth_rules.xml:windows) 6018251 || [OSSEC] Level 12 - Read-only Domain Controllers Group Changed (msauth_rules.xml:windows) 6018252 || [OSSEC] Level 12 - Cryptographic Operators Group Changed (msauth_rules.xml:windows) 6018253 || [OSSEC] Level 10 - Allowed RODC Password Replication Group Changed (msauth_rules.xml:windows) 6018254 || [OSSEC] Level 10 - Denied RODC Password Replication Group Changed (msauth_rules.xml:windows) 6018255 || [OSSEC] Level 10 - Event Log Readers Group Changed (msauth_rules.xml:windows) 6018256 || [OSSEC] Level 10 - Certificate Service DCOM Access Group Changed (msauth_rules.xml:windows) 6019102 || [OSSEC] Level 8 - VMware ESX critical message. (vmware_rules.xml:vmware) 6019111 || [OSSEC] Level 5 - VMWare ESX authentication failure. (vmware_rules.xml:vmware) 6019120 || [OSSEC] Level 8 - Virtual machine state changed to OFF. (vmware_rules.xml:vmware) 6019123 || [OSSEC] Level 5 - Virtual machine being reconfigured. (vmware_rules.xml:vmware) 6019150 || [OSSEC] Level 10 - Multiple VMWare ESX warning messages. (vmware_rules.xml:vmware) 6019151 || [OSSEC] Level 10 - Multiple VMWare ESX error messages. (vmware_rules.xml:vmware) 6019152 || [OSSEC] Level 10 - Multiple VMWare ESX authentication failures. (vmware_rules.xml:vmware) 6019153 || [OSSEC] Level 10 - Multiple VMWare ESX user authentication failures. (vmware_rules.xml:vmware) 6020100 || [OSSEC] Level 8 - First time this IDS alert is generated. (ids_rules.xml:ids) 6020101 || [OSSEC] Level 6 - IDS event. (ids_rules.xml:ids) 6020151 || [OSSEC] Level 10 - Multiple IDS events from same source ip. (ids_rules.xml:ids) 6020152 || [OSSEC] Level 10 - Multiple IDS alerts for same id. (ids_rules.xml:ids) 6020161 || [OSSEC] Level 11 - Multiple IDS events from same source ip (ignoring now this srcip and id). (ids_rules.xml:ids) 6020162 || [OSSEC] Level 11 - Multiple IDS alerts for same id (ignoring now this id). (ids_rules.xml:ids) 6030104 || [OSSEC] Level 12 - Apache segmentation fault. (apache_rules.xml:apache) 6030105 || [OSSEC] Level 5 - Attempt to access forbidden file or directory. (apache_rules.xml:apache) 6030106 || [OSSEC] Level 5 - Attempt to access forbidden directory index. (apache_rules.xml:apache) 6030107 || [OSSEC] Level 6 - Code Red attack. (apache_rules.xml:apache) 6030108 || [OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache) 6030109 || [OSSEC] Level 9 - Attempt to login using a non-existent user. (apache_rules.xml:apache) 6030110 || [OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache) 6030115 || [OSSEC] Level 5 - Invalid URI (bad client request). (apache_rules.xml:apache) 6030116 || [OSSEC] Level 10 - Multiple Invalid URI requests from same source. (apache_rules.xml:apache) 6030117 || [OSSEC] Level 10 - Invalid URI, file name too long. (apache_rules.xml:apache) 6030118 || [OSSEC] Level 6 - Access attempt blocked by Mod Security. (apache_rules.xml:apache) 6030119 || [OSSEC] Level 12 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache) 6030120 || [OSSEC] Level 12 - Apache without resources to run. (apache_rules.xml:apache) 6030200 || [OSSEC] Level 6 - Modsecurity alert. (apache_rules.xml:apache) 6030201 || [OSSEC] Level 6 - Modsecurity access denied. (apache_rules.xml:apache) 6030202 || [OSSEC] Level 10 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache) 6031101 || [OSSEC] Level 5 - Web server 400 error code. (web_rules.xml:web,accesslog) 6031103 || [OSSEC] Level 6 - SQL injection attempt. (web_rules.xml:web,accesslog) 6031104 || [OSSEC] Level 6 - Common web attack. (web_rules.xml:web,accesslog) 6031105 || [OSSEC] Level 6 - XSS (Cross Site Scripting) attempt. (web_rules.xml:web,accesslog) 6031106 || [OSSEC] Level 6 - A web attack returned code 200 (success). (web_rules.xml:web,accesslog) 6031115 || [OSSEC] Level 13 - URL too long. Higher than allowed on most browsers. Possible attack. (web_rules.xml:web,accesslog) 6031120 || [OSSEC] Level 5 - Web server 500 error code (server error). (web_rules.xml:web,accesslog) 6031122 || [OSSEC] Level 5 - Web server 500 error code (Internal Error). (web_rules.xml:web,accesslog) 6031151 || [OSSEC] Level 10 - Mutiple web server 400 error codes from same source ip. (web_rules.xml:web,accesslog) 6031152 || [OSSEC] Level 10 - Multiple SQL injection attempts from same souce ip. (web_rules.xml:web,accesslog) 6031153 || [OSSEC] Level 10 - Multiple common web attacks from same souce ip. (web_rules.xml:web,accesslog) 6031154 || [OSSEC] Level 10 - Multiple XSS (Cross Site Scripting) attempts from same souce ip. (web_rules.xml:web,accesslog) 6031161 || [OSSEC] Level 10 - Multiple web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog) 6031162 || [OSSEC] Level 10 - Multiple web server 500 error code (Internal Error). (web_rules.xml:web,accesslog) 6031163 || [OSSEC] Level 10 - Multiple web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog) 6031203 || [OSSEC] Level 9 - Zeus serious log. (zeus_rules.xml:zeus) 6031204 || [OSSEC] Level 12 - Zeus fatal log. (zeus_rules.xml:zeus) 6031205 || [OSSEC] Level 8 - Admin authentication failed. (zeus_rules.xml:zeus) 6031251 || [OSSEC] Level 10 - Multiple Zeus warnings. (zeus_rules.xml:zeus) 6031303 || [OSSEC] Level 5 - Nginx critical message. (nginx_rules.xml:apache) 6031315 || [OSSEC] Level 5 - Web authentication failed. (nginx_rules.xml:apache) 6031316 || [OSSEC] Level 10 - Multiple web authentication failures. (nginx_rules.xml:apache) 6031320 || [OSSEC] Level 10 - Invalid URI, file name too long. (nginx_rules.xml:apache) 6031411 || [OSSEC] Level 6 - PHP web attack. (php_rules.xml:apache) 6031412 || [OSSEC] Level 5 - PHP internal error (missing file). (php_rules.xml:apache) 6031420 || [OSSEC] Level 5 - PHP Fatal error. (php_rules.xml:apache) 6031421 || [OSSEC] Level 5 - PHP internal error (missing file or function). (php_rules.xml:apache) 6031430 || [OSSEC] Level 5 - PHP Parse error. (php_rules.xml:apache) 6035003 || [OSSEC] Level 5 - Bad request/Invalid syntax. (squid_rules.xml:squid) 6035004 || [OSSEC] Level 5 - Unauthorized: Failed attempt to access authorization-required file or directory. (squid_rules.xml:squid) 6035005 || [OSSEC] Level 5 - Forbidden: Attempt to access forbidden file or directory. (squid_rules.xml:squid) 6035006 || [OSSEC] Level 5 - Not Found: Attempt to access non-existent file or directory. (squid_rules.xml:squid) 6035007 || [OSSEC] Level 5 - Proxy Authentication Required: User is not authorized to use proxy. (squid_rules.xml:squid) 6035008 || [OSSEC] Level 5 - Squid 400 error code (request failed). (squid_rules.xml:squid) 6035009 || [OSSEC] Level 5 - Squid 500/600 error code (server error). (squid_rules.xml:squid) 6035021 || [OSSEC] Level 6 - Attempt to access a Beagle worm (or variant) file. (squid_rules.xml:squid) 6035022 || [OSSEC] Level 6 - Attempt to access a worm/trojan related site. (squid_rules.xml:squid) 6035051 || [OSSEC] Level 10 - Multiple attempts to access forbidden file or directory from same source ip. (squid_rules.xml:squid) 6035052 || [OSSEC] Level 10 - Multiple unauthorized attempts to use proxy. (squid_rules.xml:squid) 6035053 || [OSSEC] Level 10 - Multiple Bad requests/Invalid syntax. (squid_rules.xml:squid) 6035054 || [OSSEC] Level 12 - Infected machine with W32.Beagle.DP. (squid_rules.xml:squid) 6035055 || [OSSEC] Level 10 - Multiple attempts to access a non-existent file. (squid_rules.xml:squid) 6035056 || [OSSEC] Level 12 - Multiple attempts to access a worm/trojan/virus related web site. System probably infected. (squid_rules.xml:squid) 6035057 || [OSSEC] Level 10 - Multiple 400 error codes (requests failed). (squid_rules.xml:squid) 6035058 || [OSSEC] Level 10 - Multiple 500/600 error codes (server error). (squid_rules.xml:squid) 6040101 || [OSSEC] Level 12 - System user successfully logged to the system. (attack_rules.xml:syslog,attacks) 6040102 || [OSSEC] Level 14 - Buffer overflow attack on rpc.statd (attack_rules.xml:syslog,attacks) 6040103 || [OSSEC] Level 14 - Buffer overflow on WU-FTPD versions prior to 2.6 (attack_rules.xml:syslog,attacks) 6040104 || [OSSEC] Level 13 - Possible buffer overflow attempt. (attack_rules.xml:syslog,attacks) 6040105 || [OSSEC] Level 12 - "Null" user changed some information. (attack_rules.xml:syslog,attacks) 6040106 || [OSSEC] Level 12 - Buffer overflow attempt (probably on yppasswd). (attack_rules.xml:syslog,attacks) 6040107 || [OSSEC] Level 14 - Heap overflow in the Solaris cachefsd service. (attack_rules.xml:syslog,attacks) 6040109 || [OSSEC] Level 12 - Stack overflow attempt or program exiting with SEGV (Solaris). (attack_rules.xml:syslog,attacks) 6040111 || [OSSEC] Level 10 - Multiple authentication failures. (attack_rules.xml:syslog,attacks) 6040112 || [OSSEC] Level 12 - Multiple authentication failures followed by a success. (attack_rules.xml:syslog,attacks) 6040113 || [OSSEC] Level 12 - Multiple viruses detected - Possible outbreak. (attack_rules.xml:syslog,attacks) 6040501 || [OSSEC] Level 15 - Attacks followed by the addition of an user. (attack_rules.xml:syslog,elevation_of_privilege) 6040601 || [OSSEC] Level 10 - Network scan from same source ip. (attack_rules.xml:syslog,recon) 6050106 || [OSSEC] Level 9 - Database authentication failure. (mysql_rules.xml:mysql_log) 6050120 || [OSSEC] Level 12 - Database shutdown messge. (mysql_rules.xml:mysql_log) 6050125 || [OSSEC] Level 5 - Database error. (mysql_rules.xml:mysql_log) 6050126 || [OSSEC] Level 12 - Database fatal error. (mysql_rules.xml:mysql_log) 6050180 || [OSSEC] Level 10 - Multiple database errors. (mysql_rules.xml:mysql_log) 6050504 || [OSSEC] Level 5 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log) 6050512 || [OSSEC] Level 9 - Database authentication failure. (postgresql_rules.xml:postgresql_log) 6050520 || [OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log) 6050521 || [OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log) 6050580 || [OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log) 6050581 || [OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log) 6100000 || [CISCO-SDEE] IPS/IDS License Expiration || url,wiki.quadrantsec.com/bin/view/Main/6100000 6101000 || [CISCO-SDEE] IP options-Bad Option List || url,wiki.quadrantsec.com/bin/view/Main/6101000 6101001 || [CISCO-SDEE] IP options-Record Packet Route || url,wiki.quadrantsec.com/bin/view/Main/6101001 6101002 || [CISCO-SDEE] IP options-Timestamp || url,wiki.quadrantsec.com/bin/view/Main/6101002 6101003 || [CISCO-SDEE] IP options-Provide s,c,h,tcc || url,wiki.quadrantsec.com/bin/view/Main/6101003 6101004 || [CISCO-SDEE] IP options-Loose Source Route || url,wiki.quadrantsec.com/bin/view/Main/6101004 6101005 || [CISCO-SDEE] IP options-SATNET ID || url,wiki.quadrantsec.com/bin/view/Main/6101005 6101006 || [CISCO-SDEE] IP options-Strict Source Route || url,wiki.quadrantsec.com/bin/view/Main/6101006 6101007 || [CISCO-SDEE] IPv6 over IPv4 or IPv6 || url,wiki.quadrantsec.com/bin/view/Main/6101007 6101018 || [CISCO-SDEE] Lurk Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101018 6101019 || [CISCO-SDEE] XShellC601 Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101019 6101020 || [CISCO-SDEE] BB Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101020 6101021 || [CISCO-SDEE] Murcy Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101021 6101022 || [CISCO-SDEE] QDigit Malware Communication || url,wiki.quadrantsec.com/bin/view/Main/6101022 6101027 || [CISCO-SDEE] Cisco IOS Software Smart Install Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101027 6101028 || [CISCO-SDEE] BitDefender Internet Security 2009 XSS || url,wiki.quadrantsec.com/bin/view/Main/6101028 6101029 || [CISCO-SDEE] Novell iManager Off By One Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101029 6101030 || [CISCO-SDEE] Symantic IM Manager Administrator Console Code Injection || url,wiki.quadrantsec.com/bin/view/Main/6101030 6101032 || [CISCO-SDEE] Microsoft Windows MPEG Layer-3 Audio Decoder Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101032 6101034 || [CISCO-SDEE] Slowloris Exploit || url,wiki.quadrantsec.com/bin/view/Main/6101034 6101038 || [CISCO-SDEE] Microsoft DNS server Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101038 6101039 || [CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101039 6101040 || [CISCO-SDEE] DNSChanger Malware || url,wiki.quadrantsec.com/bin/view/Main/6101040 6101044 || [CISCO-SDEE] Metasploit Shellcode Encoder || url,wiki.quadrantsec.com/bin/view/Main/6101044 6101051 || [CISCO-SDEE] Novell GroupWise Internet Agent HTTP Request Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101051 6101052 || [CISCO-SDEE] Adobe PDF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101052 6101055 || [CISCO-SDEE] Cisco WebEx WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101055 6101056 || [CISCO-SDEE] Corehttp Httpd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101056 6101057 || [CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101057 6101058 || [CISCO-SDEE] Cisco Webex WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101058 6101059 || [CISCO-SDEE] IIS Hit-Highlighting Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101059 6101060 || [CISCO-SDEE] Apache auth_ldap Format String || url,wiki.quadrantsec.com/bin/view/Main/6101060 6101062 || [CISCO-SDEE] Windows Active Directory LDAP Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101062 6101063 || [CISCO-SDEE] BIND 8 TSIG Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101063 6101067 || [CISCO-SDEE] CA BrightStor Backup Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101067 6101069 || [CISCO-SDEE] Microsoft Windows PPTP Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101069 6101076 || [CISCO-SDEE] IBM Tivoli Directory Server 6.0 Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101076 6101077 || [CISCO-SDEE] PHP File Upload GLOBAL Variable Overwrite || url,wiki.quadrantsec.com/bin/view/Main/6101077 6101079 || [CISCO-SDEE] Helix RTSP SETUP Request Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101079 6101080 || [CISCO-SDEE] IBM Informix Long Username Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101080 6101081 || [CISCO-SDEE] Libevent DNS Parsing Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101081 6101082 || [CISCO-SDEE] Libevent DNS Parsing Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101082 6101083 || [CISCO-SDEE] Microsoft Plug and Play Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101083 6101085 || [CISCO-SDEE] Cisco IOS HTTP Server Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101085 6101086 || [CISCO-SDEE] Oracle OPMN daemon Format String Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101086 6101088 || [CISCO-SDEE] Oracle XDB FTP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101088 6101089 || [CISCO-SDEE] SAP Message Server Group Parameter Remote Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101089 6101090 || [CISCO-SDEE] NTP MODE_PRIVATE Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101090 6101091 || [CISCO-SDEE] OpenSwan and StrongSwan DPD Packet Remote DoS || url,wiki.quadrantsec.com/bin/view/Main/6101091 6101096 || [CISCO-SDEE] Measuresoft ScadaPro Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6101096 6101097 || [CISCO-SDEE] Siemens FactoryLink Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101097 6101099 || [CISCO-SDEE] Siemens FactoryLink Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101099 6101101 || [CISCO-SDEE] Unknown IP Protocol || url,wiki.quadrantsec.com/bin/view/Main/6101101 6101102 || [CISCO-SDEE] Impossible IP Packet || url,wiki.quadrantsec.com/bin/view/Main/6101102 6101104 || [CISCO-SDEE] IP Localhost Source Spoof || url,wiki.quadrantsec.com/bin/view/Main/6101104 6101105 || [CISCO-SDEE] Siemens FactoryLink Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101105 6101106 || [CISCO-SDEE] Microsys PROMOTIC ActiveX SaveCfg AddTrend Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101106 6101107 || [CISCO-SDEE] RFC 1918 Addresses Seen || url,wiki.quadrantsec.com/bin/view/Main/6101107 6101108 || [CISCO-SDEE] IP Packet with Proto 11 || url,wiki.quadrantsec.com/bin/view/Main/6101108 6101109 || [CISCO-SDEE] Cisco IOS Interface DoS || url,wiki.quadrantsec.com/bin/view/Main/6101109 6101121 || [CISCO-SDEE] Siemens FactoryLink Arbitrary Files Access and Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101121 6101122 || [CISCO-SDEE] OpenOffice Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101122 6101124 || [CISCO-SDEE] Microsoft RPC DCOM ISystemActivator Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101124 6101126 || [CISCO-SDEE] WellinTech Kingview Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101126 6101127 || [CISCO-SDEE] Cisco IOS ISAKMP Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101127 6101128 || [CISCO-SDEE] Microsoft RRAS Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101128 6101129 || [CISCO-SDEE] Microsoft Internet Explorer VML Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101129 6101130 || [CISCO-SDEE] Microsoft Windows Malicous Signed Portable Executable File || url,wiki.quadrantsec.com/bin/view/Main/6101130 6101131 || [CISCO-SDEE] Microsoft MSCOMCTL ActiveX Control Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101131 6101132 || [CISCO-SDEE] Microsoft IE OnReadyStateChange Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101132 6101134 || [CISCO-SDEE] Microsoft IE SelectAll Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101134 6101135 || [CISCO-SDEE] Microsoft .NET Framework Parameter Validation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101135 6101136 || [CISCO-SDEE] Microsoft Works Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101136 6101137 || [CISCO-SDEE] Microsoft Livemesh Application || url,wiki.quadrantsec.com/bin/view/Main/6101137 6101138 || [CISCO-SDEE] Microsoft Internet Explorer VML Use After Free || url,wiki.quadrantsec.com/bin/view/Main/6101138 6101140 || [CISCO-SDEE] Samba Marshalling Code Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101140 6101142 || [CISCO-SDEE] Javascript Obfuscation Code Fragment || url,wiki.quadrantsec.com/bin/view/Main/6101142 6101143 || [CISCO-SDEE] DirectX NULL Byte Overwrite Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101143 6101144 || [CISCO-SDEE] Microsoft Office Publisher 2007 Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101144 6101152 || [CISCO-SDEE] Microsoft Office PowerPoint Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101152 6101155 || [CISCO-SDEE] Microsoft Excel 2003 Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101155 6101157 || [CISCO-SDEE] Microsoft Outlook Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101157 6101166 || [CISCO-SDEE] Apache 2.0 Encoded Backslash Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101166 6101169 || [CISCO-SDEE] Generic Alphanumeric Generated Email Address || url,wiki.quadrantsec.com/bin/view/Main/6101169 6101173 || [CISCO-SDEE] Metasploit Shellcode Encoder || url,wiki.quadrantsec.com/bin/view/Main/6101173 6101182 || [CISCO-SDEE] Visio Viewer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101182 6101183 || [CISCO-SDEE] Microsoft Word RTF Heap Overrun || url,wiki.quadrantsec.com/bin/view/Main/6101183 6101184 || [CISCO-SDEE] Adobe Acrobat Reader Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101184 6101185 || [CISCO-SDEE] Microsoft .NET Framework Serialization Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101185 6101186 || [CISCO-SDEE] Microsoft Excel Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101186 6101187 || [CISCO-SDEE] Microsoft GDI Plus Heap Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101187 6101188 || [CISCO-SDEE] Microsoft .NET Framework Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101188 6101189 || [CISCO-SDEE] Microsoft Excel MergeCells Record Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101189 6101190 || [CISCO-SDEE] Flash Player newfunction Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101190 6101191 || [CISCO-SDEE] Excel Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101191 6101192 || [CISCO-SDEE] Microsoft Excel Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101192 6101193 || [CISCO-SDEE] Microsoft .NET Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101193 6101194 || [CISCO-SDEE] Microsoft GDI Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101194 6101195 || [CISCO-SDEE] Microsoft TrueType Font Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101195 6101196 || [CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101196 6101197 || [CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101197 6101200 || [CISCO-SDEE] IP Fragmentation Buffer Full || url,wiki.quadrantsec.com/bin/view/Main/6101200 6101201 || [CISCO-SDEE] IP Fragment Overlap || url,wiki.quadrantsec.com/bin/view/Main/6101201 6101202 || [CISCO-SDEE] IP Fragment Overrun - Datagram Too Long || url,wiki.quadrantsec.com/bin/view/Main/6101202 6101203 || [CISCO-SDEE] IP Fragment Overwrite - Data is Overwritten || url,wiki.quadrantsec.com/bin/view/Main/6101203 6101204 || [CISCO-SDEE] IP Fragment Missing Initial Fragment || url,wiki.quadrantsec.com/bin/view/Main/6101204 6101205 || [CISCO-SDEE] IP Fragment Too Many Datagrams || url,wiki.quadrantsec.com/bin/view/Main/6101205 6101206 || [CISCO-SDEE] IP Fragment Too Small || url,wiki.quadrantsec.com/bin/view/Main/6101206 6101207 || [CISCO-SDEE] IP Fragment Too Many Fragments in a Datagram || url,wiki.quadrantsec.com/bin/view/Main/6101207 6101208 || [CISCO-SDEE] IP Fragment Incomplete Datagram || url,wiki.quadrantsec.com/bin/view/Main/6101208 6101210 || [CISCO-SDEE] Microsoft Windows Object Packager Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101210 6101212 || [CISCO-SDEE] Spyeye Trojan Toolkit || url,wiki.quadrantsec.com/bin/view/Main/6101212 6101213 || [CISCO-SDEE] Microsoft Internet Explorer Deflate Encoding Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101213 6101218 || [CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101218 6101220 || [CISCO-SDEE] Jolt2 Fragment Reassembly DoS attack || url,wiki.quadrantsec.com/bin/view/Main/6101220 6101221 || [CISCO-SDEE] Oracle Database Server DBMS_CDC_PUBLISH SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6101221 6101225 || [CISCO-SDEE] Fragment Flags Invalid || url,wiki.quadrantsec.com/bin/view/Main/6101225 6101250 || [CISCO-SDEE] Packet Bad Length || url,wiki.quadrantsec.com/bin/view/Main/6101250 6101256 || [CISCO-SDEE] Flame Malware || url,wiki.quadrantsec.com/bin/view/Main/6101256 6101258 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101258 6101261 || [CISCO-SDEE] MS Internet Explorer 9 Use After Free || url,wiki.quadrantsec.com/bin/view/Main/6101261 6101263 || [CISCO-SDEE] Microsoft Unauthorized Digital Certificates || url,wiki.quadrantsec.com/bin/view/Main/6101263 6101265 || [CISCO-SDEE] Microsoft Internet Explorer Memory Leak || url,wiki.quadrantsec.com/bin/view/Main/6101265 6101268 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101268 6101270 || [CISCO-SDEE] Microsoft Internet Explorer Title Element Change Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101270 6101271 || [CISCO-SDEE] Microsoft insertAdjacentText Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101271 6101272 || [CISCO-SDEE] Microsoft Internet Explorer Developer Toolbar Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101272 6101273 || [CISCO-SDEE] Microsoft Internet Explorer 8 Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101273 6101274 || [CISCO-SDEE] Microsoft .NET Framework Memory Access Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101274 6101275 || [CISCO-SDEE] Microsoft Dynamics AX Enterprise Portal Elevation of Privilege || url,wiki.quadrantsec.com/bin/view/Main/6101275 6101276 || [CISCO-SDEE] Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101276 6101277 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101277 6101279 || [CISCO-SDEE] Microsoft Internet Explorer and Lync HTML Sanitization Cross-Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6101279 6101281 || [CISCO-SDEE] Microsoft XML Core Services Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101281 6101283 || [CISCO-SDEE] Cisco WebEx Player WRF File Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101283 6101284 || [CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101284 6101285 || [CISCO-SDEE] Rockwell ControlLogix Stop Service Code || url,wiki.quadrantsec.com/bin/view/Main/6101285 6101287 || [CISCO-SDEE] Rockwell ControlLogix Reset Service Code || url,wiki.quadrantsec.com/bin/view/Main/6101287 6101288 || [CISCO-SDEE] Cisco TelePresence Recording Server Media Import Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6101288 6101289 || [CISCO-SDEE] Rockwell ControlLogix boot code dump || url,wiki.quadrantsec.com/bin/view/Main/6101289 6101290 || [CISCO-SDEE] Rockwell ControlLogix Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101290 6101291 || [CISCO-SDEE] Rockwell ControlLogix Firmware Update || url,wiki.quadrantsec.com/bin/view/Main/6101291 6101292 || [CISCO-SDEE] Rockwell ControlLogix Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101292 6101293 || [CISCO-SDEE] Rockwell ControlLogix Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101293 6101295 || [CISCO-SDEE] Novell Groupwise Messenger Server Information Leakage || url,wiki.quadrantsec.com/bin/view/Main/6101295 6101296 || [CISCO-SDEE] Cisco Webex WRF JPEG DHT Chunk Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101296 6101298 || [CISCO-SDEE] SNMP Enumeration Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6101298 6101300 || [CISCO-SDEE] TCP Segment Overwrite || url,wiki.quadrantsec.com/bin/view/Main/6101300 6101301 || [CISCO-SDEE] TCP Session Inactivity Timeout || url,wiki.quadrantsec.com/bin/view/Main/6101301 6101302 || [CISCO-SDEE] TCP Session Embryonic Timeout || url,wiki.quadrantsec.com/bin/view/Main/6101302 6101303 || [CISCO-SDEE] TCP Session Closing Timeout || url,wiki.quadrantsec.com/bin/view/Main/6101303 6101304 || [CISCO-SDEE] TCP Session Packet Queue Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101304 6101305 || [CISCO-SDEE] TCP URG flag set || url,wiki.quadrantsec.com/bin/view/Main/6101305 6101306 || [CISCO-SDEE] TCP Option Other || url,wiki.quadrantsec.com/bin/view/Main/6101306 6101307 || [CISCO-SDEE] TCP Window Variation || url,wiki.quadrantsec.com/bin/view/Main/6101307 6101308 || [CISCO-SDEE] TTL evasion || url,wiki.quadrantsec.com/bin/view/Main/6101308 6101309 || [CISCO-SDEE] TCP Reserved flags set || url,wiki.quadrantsec.com/bin/view/Main/6101309 6101310 || [CISCO-SDEE] TCP Retransmit Data Different || url,wiki.quadrantsec.com/bin/view/Main/6101310 6101311 || [CISCO-SDEE] TCP Packet Exceeds MSS || url,wiki.quadrantsec.com/bin/view/Main/6101311 6101312 || [CISCO-SDEE] TCP MSS below minimum || url,wiki.quadrantsec.com/bin/view/Main/6101312 6101313 || [CISCO-SDEE] TCP MSS exceeds maximum || url,wiki.quadrantsec.com/bin/view/Main/6101313 6101314 || [CISCO-SDEE] TCP SYN Packet With Data || url,wiki.quadrantsec.com/bin/view/Main/6101314 6101315 || [CISCO-SDEE] ACK w/o TCP Stream || url,wiki.quadrantsec.com/bin/view/Main/6101315 6101316 || [CISCO-SDEE] FIN or RST w/o TCP Stream || url,wiki.quadrantsec.com/bin/view/Main/6101316 6101317 || [CISCO-SDEE] Zero Window Probe || url,wiki.quadrantsec.com/bin/view/Main/6101317 6101326 || [CISCO-SDEE] Microsoft SharePoint Reflected List Parameter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101326 6101328 || [CISCO-SDEE] Microsoft IIS Stack Exhaustion DoS || url,wiki.quadrantsec.com/bin/view/Main/6101328 6101329 || [CISCO-SDEE] Microsoft Internet Explorer 9 Cached Object Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101329 6101330 || [CISCO-SDEE] TCP Drop - Bad Checksum || url,wiki.quadrantsec.com/bin/view/Main/6101330 6101331 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101331 6101333 || [CISCO-SDEE] Microsoft Windows Registered Application Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101333 6101334 || [CISCO-SDEE] Microsoft Windows ADO Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101334 6101335 || [CISCO-SDEE] Microsoft Sharepoint Cross Site Scripting Attack || url,wiki.quadrantsec.com/bin/view/Main/6101335 6101338 || [CISCO-SDEE] Cisco Telepresence Command Injection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101338 6101341 || [CISCO-SDEE] Joomla 1.5.12 TinyBrowser File Upload Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101341 6101343 || [CISCO-SDEE] Cisco Common Services Framework Help Servlet XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101343 6101346 || [CISCO-SDEE] Cisco IOS BGP Malformed Attribute Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101346 6101347 || [CISCO-SDEE] Skype Call Activity || url,wiki.quadrantsec.com/bin/view/Main/6101347 6101349 || [CISCO-SDEE] Javascript Trojan Iframe.F || url,wiki.quadrantsec.com/bin/view/Main/6101349 6101350 || [CISCO-SDEE] Microsoft Visio Viewer Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101350 6101353 || [CISCO-SDEE] Symantec Web Gateway Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6101353 6101356 || [CISCO-SDEE] Adobe Flash Player URL Security Domain Checking Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101356 6101358 || [CISCO-SDEE] Adobe Shockwave Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101358 6101360 || [CISCO-SDEE] IBM Lotus Domino Server Controller Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101360 6101364 || [CISCO-SDEE] Microsoft Remote Administration Protocol Read Access Violation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101364 6101366 || [CISCO-SDEE] Oracle WebCenter ActiveX Control File Creation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101366 6101367 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101367 6101369 || [CISCO-SDEE] Apple Quicktime JPEG2000 Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101369 6101370 || [CISCO-SDEE] FFmpeg 4xm Null Pointer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101370 6101371 || [CISCO-SDEE] Microsoft Internet Explorer Integer Overflow Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101371 6101372 || [CISCO-SDEE] Microsoft Internet Explorer Asynchronous NULL Object Access Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101372 6101373 || [CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101373 6101374 || [CISCO-SDEE] Trend Micro ServerProtect EarthAgent RPC Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101374 6101376 || [CISCO-SDEE] Apple Safari WebKit Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101376 6101377 || [CISCO-SDEE] Google Chrome and Apple Safari Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101377 6101378 || [CISCO-SDEE] Microsoft Visio Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101378 6101379 || [CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101379 6101380 || [CISCO-SDEE] MSCOMCTL ActiveX Control Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101380 6101381 || [CISCO-SDEE] Microsoft Networking Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101381 6101382 || [CISCO-SDEE] Microsoft Windows Print Spooler Service Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101382 6101384 || [CISCO-SDEE] Microsoft Remote Administration Protocol Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101384 6101385 || [CISCO-SDEE] Microsoft Windows IE Layout Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101385 6101386 || [CISCO-SDEE] Adobe Acrobat Reader Stack Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101386 6101387 || [CISCO-SDEE] Adobe Flash Player Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101387 6101388 || [CISCO-SDEE] OpenSSL CMS Structure OriginatorInfo Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101388 6101389 || [CISCO-SDEE] HP Database Archiving Software GIOP Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101389 6101393 || [CISCO-SDEE] Adobe Acrobat Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101393 6101394 || [CISCO-SDEE] Cisco Linksys PlayerPT ActiveX Control Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101394 6101395 || [CISCO-SDEE] Adobe Flash Player MP4 Sequence Parameter Set Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101395 6101396 || [CISCO-SDEE] Microsoft Visual Studio Cross Site Scripting (XSS) Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101396 6101397 || [CISCO-SDEE] Mozilla Firefox Array.reduceRight Integer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101397 6101398 || [CISCO-SDEE] Microsoft Outlook Web Access Cross Site Request Forgery Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101398 6101399 || [CISCO-SDEE] CA Total Defense Suite Information Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101399 6101400 || [CISCO-SDEE] GRE Over IPv6 Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101400 6101401 || [CISCO-SDEE] IPIP Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101401 6101402 || [CISCO-SDEE] MPLS Over IPv6 Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101402 6101403 || [CISCO-SDEE] IPv4 Over IPv6 Encapsulation || url,wiki.quadrantsec.com/bin/view/Main/6101403 6101404 || [CISCO-SDEE] Adobe Shockwave PAMI Chunk Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101404 6101405 || [CISCO-SDEE] Teredo Destination IP Address || url,wiki.quadrantsec.com/bin/view/Main/6101405 6101406 || [CISCO-SDEE] Teredo Source Port || url,wiki.quadrantsec.com/bin/view/Main/6101406 6101407 || [CISCO-SDEE] Teredo Destination Port || url,wiki.quadrantsec.com/bin/view/Main/6101407 6101408 || [CISCO-SDEE] Teredo Data Packet || url,wiki.quadrantsec.com/bin/view/Main/6101408 6101409 || [CISCO-SDEE] GRE Tunnel Detected || url,wiki.quadrantsec.com/bin/view/Main/6101409 6101410 || [CISCO-SDEE] IPv6 Over MPLS Tunnel || url,wiki.quadrantsec.com/bin/view/Main/6101410 6101414 || [CISCO-SDEE] Advanced DNP3 - Unsolicited Response Storm || url,wiki.quadrantsec.com/bin/view/Main/6101414 6101415 || [CISCO-SDEE] Advanced DNP3 - Non-DNP3 Communication on a DNP3 Port || url,wiki.quadrantsec.com/bin/view/Main/6101415 6101417 || [CISCO-SDEE] Advanced DNP3 - Last Received Was A Broadcast Message || url,wiki.quadrantsec.com/bin/view/Main/6101417 6101421 || [CISCO-SDEE] Java 7 Applet Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101421 6101422 || [CISCO-SDEE] Advanced DNP3 - Time Synchronization Required || url,wiki.quadrantsec.com/bin/view/Main/6101422 6101423 || [CISCO-SDEE] Advanced DNP3 - Device Under Local Control || url,wiki.quadrantsec.com/bin/view/Main/6101423 6101424 || [CISCO-SDEE] Advanced DNP3 - Device In Trouble || url,wiki.quadrantsec.com/bin/view/Main/6101424 6101425 || [CISCO-SDEE] Advanced DNP3 - Attempt To Use Unsupported Function Code || url,wiki.quadrantsec.com/bin/view/Main/6101425 6101426 || [CISCO-SDEE] Advanced DNP3 - Request Object Unknown Or Errors In Application Data || url,wiki.quadrantsec.com/bin/view/Main/6101426 6101427 || [CISCO-SDEE] Advanced DNP3 - Parameters Out Of Range || url,wiki.quadrantsec.com/bin/view/Main/6101427 6101428 || [CISCO-SDEE] Advanced DNP3 - Event Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101428 6101429 || [CISCO-SDEE] Advanced DNP3 - Already Executing Request || url,wiki.quadrantsec.com/bin/view/Main/6101429 6101430 || [CISCO-SDEE] Advanced DNP3 - Corrupt Configuration Error || url,wiki.quadrantsec.com/bin/view/Main/6101430 6101431 || [CISCO-SDEE] Advanced DNP3 - Invalid Reserved IIN Flags Set || url,wiki.quadrantsec.com/bin/view/Main/6101431 6101432 || [CISCO-SDEE] Advanced DNP3 - Active Configuration || url,wiki.quadrantsec.com/bin/view/Main/6101432 6101433 || [CISCO-SDEE] Advanced DNP3 - Authentication Request || url,wiki.quadrantsec.com/bin/view/Main/6101433 6101434 || [CISCO-SDEE] Advanced DNP3 - Authentication Reply || url,wiki.quadrantsec.com/bin/view/Main/6101434 6101435 || [CISCO-SDEE] Advanced DNP3 - Authentication Error || url,wiki.quadrantsec.com/bin/view/Main/6101435 6101436 || [CISCO-SDEE] Advanced DNP3 - Authentication Response Or Authentication Challenge || url,wiki.quadrantsec.com/bin/view/Main/6101436 6101437 || [CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Challenge || url,wiki.quadrantsec.com/bin/view/Main/6101437 6101438 || [CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Response Storm || url,wiki.quadrantsec.com/bin/view/Main/6101438 6101439 || [CISCO-SDEE] Advanced DNP3 - Device Restarted || url,wiki.quadrantsec.com/bin/view/Main/6101439 6101441 || [CISCO-SDEE] Shamoon Malware Activity || url,wiki.quadrantsec.com/bin/view/Main/6101441 6101442 || [CISCO-SDEE] Microsoft Visual Studio Team Web Access XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101442 6101444 || [CISCO-SDEE] Microsoft System Center Configuration Manager Reflected XSS || url,wiki.quadrantsec.com/bin/view/Main/6101444 6101445 || [CISCO-SDEE] Adobe Reader Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101445 6101446 || [CISCO-SDEE] BaoFeng Storm ActiveX Control Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101446 6101447 || [CISCO-SDEE] Ganglia Stack Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101447 6101451 || [CISCO-SDEE] Cisco WebEx Player Player Heap Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101451 6101455 || [CISCO-SDEE] Adobe Reader Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101455 6101459 || [CISCO-SDEE] Oracle Fusion Middleware Outside In Excel File Parsing Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101459 6101460 || [CISCO-SDEE] OpenLDAP Modrdn Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101460 6101461 || [CISCO-SDEE] DATAC Control RealWin SCADA Server Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101461 6101462 || [CISCO-SDEE] RealNetworks Helix Universal Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101462 6101464 || [CISCO-SDEE] DD-WRT Arbitrary Shell Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101464 6101466 || [CISCO-SDEE] Microsoft Internet Explorer execCommand Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101466 6101468 || [CISCO-SDEE] EMC NetWorker Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101468 6101469 || [CISCO-SDEE] Microsoft Office Visio Object Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101469 6101470 || [CISCO-SDEE] Mozilla Firefox and SeaMonkey Remote Cross-Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101470 6101471 || [CISCO-SDEE] Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101471 6101472 || [CISCO-SDEE] Microsoft Windows Embedded OpenType Font Processing Heap Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101472 6101474 || [CISCO-SDEE] XDP Encoded PDF File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6101474 6101475 || [CISCO-SDEE] Webex Player Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101475 6101476 || [CISCO-SDEE] Cisco ASA and FWSM DCERPC Inspection DoS || url,wiki.quadrantsec.com/bin/view/Main/6101476 6101478 || [CISCO-SDEE] Cisco ASA PIX Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101478 6101480 || [CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101480 6101481 || [CISCO-SDEE] Microsoft Internet Explorer cloneNode Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101481 6101482 || [CISCO-SDEE] Microsoft Internet Explorer Document Layout Processing Use-After-Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101482 6101483 || [CISCO-SDEE] Microsoft Internet Explorer 9 Event Listener Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101483 6101487 || [CISCO-SDEE] Cisco WebEx Recording Format Player Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101487 6101492 || [CISCO-SDEE] CISCO ASA DCERPC Inspection Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101492 6101493 || [CISCO-SDEE] Distributed Denial of Service on Financial Institutions || url,wiki.quadrantsec.com/bin/view/Main/6101493 6101494 || [CISCO-SDEE] Cisco WebEx Recording Format Player Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101494 6101495 || [CISCO-SDEE] Microsoft Word Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101495 6101496 || [CISCO-SDEE] Microsoft Works 9 Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101496 6101497 || [CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101497 6101498 || [CISCO-SDEE] Microsoft SQL Server Report Manager Reflected Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101498 6101501 || [CISCO-SDEE] Microsoft Word PAPX Section Processing Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101501 6101503 || [CISCO-SDEE] PHP Response-Splitting Protection Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101503 6101504 || [CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101504 6101507 || [CISCO-SDEE] RealNetworks Helix Server RTSP SETUP Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101507 6101508 || [CISCO-SDEE] ImageMagick ResolutionUnit Tag Invalid Validation Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101508 6101511 || [CISCO-SDEE] Microsoft Office TIFF Image Converter Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101511 6101512 || [CISCO-SDEE] HP Easy Printer Care HPTicketMgr.dll ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101512 6101513 || [CISCO-SDEE] Adobe SWF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101513 6101514 || [CISCO-SDEE] Adobe SWF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101514 6101520 || [CISCO-SDEE] Modbus TCP - Invalid Function Code Is Used || url,wiki.quadrantsec.com/bin/view/Main/6101520 6101524 || [CISCO-SDEE] Modbus TCP - Reserved Function Code Used || url,wiki.quadrantsec.com/bin/view/Main/6101524 6101528 || [CISCO-SDEE] Adobe SWF Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101528 6101532 || [CISCO-SDEE] Google Chrome and Apple Safari Use-After-Free Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101532 6101534 || [CISCO-SDEE] EMC NetWorker Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101534 6101535 || [CISCO-SDEE] Exim Mail Transfer Agent Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101535 6101536 || [CISCO-SDEE] Adobe Acrobat PDF Font Processing Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101536 6101537 || [CISCO-SDEE] Oracle Outside In JPEG 2000 Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101537 6101538 || [CISCO-SDEE] Cisco Unified MeetingPlace Web Conferencing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101538 6101540 || [CISCO-SDEE] Oracle Hyperion Strategic Finance Client Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101540 6101545 || [CISCO-SDEE] Adobe Reader Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101545 6101546 || [CISCO-SDEE] H3C and Huawei SNMP Access Control Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101546 6101547 || [CISCO-SDEE] Microsoft Office Word 2010 Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101547 6101548 || [CISCO-SDEE] Microsoft Office Picture Manager Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101548 6101550 || [CISCO-SDEE] Novell Netware XNFS.NLM xdrDecodeString Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101550 6101555 || [CISCO-SDEE] Firefox SVGTextElement.getCharNumAtPositio Use-After-Free || url,wiki.quadrantsec.com/bin/view/Main/6101555 6101556 || [CISCO-SDEE] HP Intelligent Management Center Multiple Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101556 6101563 || [CISCO-SDEE] IBM Lotus Notes URL Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101563 6101564 || [CISCO-SDEE] Microsoft Internet Explorer Cross Domain Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101564 6101565 || [CISCO-SDEE] Novell ZENworks Asset Management Web Console Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6101565 6101566 || [CISCO-SDEE] Microsoft Vista Speech Recognition ActiveX Vulnerabilities || url,wiki.quadrantsec.com/bin/view/Main/6101566 6101569 || [CISCO-SDEE] HP StorageWorks P4000 Virtual SAN Appliance Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101569 6101570 || [CISCO-SDEE] Apple iCloud Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101570 6101571 || [CISCO-SDEE] Novell File Reporter Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101571 6101572 || [CISCO-SDEE] HP Operations Agent for NonStop Server HEALTH Packet Parsing Stack Buffer || url,wiki.quadrantsec.com/bin/view/Main/6101572 6101573 || [CISCO-SDEE] Macromedia Shockwave ActiveX SwDir.dll Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101573 6101574 || [CISCO-SDEE] VMWare ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101574 6101575 || [CISCO-SDEE] Novell iPrint Client ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101575 6101577 || [CISCO-SDEE] Asterisk SIP Channel Driver Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101577 6101578 || [CISCO-SDEE] TFTPD32 Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101578 6101579 || [CISCO-SDEE] Asterisk SIP INVITE Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101579 6101580 || [CISCO-SDEE] Adobe Shockwave Player Director Record Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101580 6101584 || [CISCO-SDEE] Microsoft Windows Explorer Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101584 6101585 || [CISCO-SDEE] Microsoft Windows Explorer Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101585 6101586 || [CISCO-SDEE] VLC Media Player Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101586 6101587 || [CISCO-SDEE] Microsoft Windows File Enumeration Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101587 6101588 || [CISCO-SDEE] Microsoft Excel Stack Overflow Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101588 6101589 || [CISCO-SDEE] Microsoft Excel Invalid Length Use After Free || url,wiki.quadrantsec.com/bin/view/Main/6101589 6101591 || [CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101591 6101593 || [CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101593 6101595 || [CISCO-SDEE] Asterisk Skinny Channel Driver Capabilities_Res_Message Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101595 6101596 || [CISCO-SDEE] Microsoft Internet Explorer CFormElement Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101596 6101597 || [CISCO-SDEE] Microsoft .NET Framework Web Proxy Auto-Discovery Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101597 6101598 || [CISCO-SDEE] Oracle Business Intelligence Enterprise Edition Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6101598 6101600 || [CISCO-SDEE] ICMPv6 zero length option || url,wiki.quadrantsec.com/bin/view/Main/6101600 6101601 || [CISCO-SDEE] ICMPv6 option type 1 violation || url,wiki.quadrantsec.com/bin/view/Main/6101601 6101602 || [CISCO-SDEE] ICMPv6 option type 2 violation || url,wiki.quadrantsec.com/bin/view/Main/6101602 6101603 || [CISCO-SDEE] ICMPv6 option type 3 violation || url,wiki.quadrantsec.com/bin/view/Main/6101603 6101604 || [CISCO-SDEE] ICMPv6 option type 4 violation || url,wiki.quadrantsec.com/bin/view/Main/6101604 6101605 || [CISCO-SDEE] ICMPv6 option type 5 violation || url,wiki.quadrantsec.com/bin/view/Main/6101605 6101606 || [CISCO-SDEE] ICMPv6 short option data || url,wiki.quadrantsec.com/bin/view/Main/6101606 6101607 || [CISCO-SDEE] IPv6 multi-crafted fragments || url,wiki.quadrantsec.com/bin/view/Main/6101607 6101608 || [CISCO-SDEE] Microsoft Internet Explorer CTreePos Element Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101608 6101609 || [CISCO-SDEE] Microsoft .NET Framework Code Access Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6101609 6101610 || [CISCO-SDEE] ICMPv6 Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6101610 6101611 || [CISCO-SDEE] ICMPv6 Echo Reply || url,wiki.quadrantsec.com/bin/view/Main/6101611 6101612 || [CISCO-SDEE] ICMPv6 Destination Unreachable || url,wiki.quadrantsec.com/bin/view/Main/6101612 6101613 || [CISCO-SDEE] ICMPv6 Packet Too Big Message || url,wiki.quadrantsec.com/bin/view/Main/6101613 6101614 || [CISCO-SDEE] ICMPv6 Time Exceeded Message || url,wiki.quadrantsec.com/bin/view/Main/6101614 6101615 || [CISCO-SDEE] ICMPv6 Parameter Problem Message || url,wiki.quadrantsec.com/bin/view/Main/6101615 6101616 || [CISCO-SDEE] ICMPv6 Group Membership Query || url,wiki.quadrantsec.com/bin/view/Main/6101616 6101617 || [CISCO-SDEE] ICMPv6 Group Membership Report || url,wiki.quadrantsec.com/bin/view/Main/6101617 6101618 || [CISCO-SDEE] ICMPv6 Membership Reduction || url,wiki.quadrantsec.com/bin/view/Main/6101618 6101619 || [CISCO-SDEE] ICMPv6 Router Solicitation || url,wiki.quadrantsec.com/bin/view/Main/6101619 6101620 || [CISCO-SDEE] ICMPv6 Router Advertisement || url,wiki.quadrantsec.com/bin/view/Main/6101620 6101621 || [CISCO-SDEE] ICMPv6 Neighbor Solicitation || url,wiki.quadrantsec.com/bin/view/Main/6101621 6101622 || [CISCO-SDEE] ICMPv6 Neighbor Advertisement || url,wiki.quadrantsec.com/bin/view/Main/6101622 6101623 || [CISCO-SDEE] ICMPv6 Redirect || url,wiki.quadrantsec.com/bin/view/Main/6101623 6101624 || [CISCO-SDEE] ICMPv6 Router Renumbering || url,wiki.quadrantsec.com/bin/view/Main/6101624 6101625 || [CISCO-SDEE] ICMPv6 Membership Report V2 || url,wiki.quadrantsec.com/bin/view/Main/6101625 6101626 || [CISCO-SDEE] Large ICMPV6 Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101626 6101627 || [CISCO-SDEE] Fragmented ICMPv6 Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101627 6101628 || [CISCO-SDEE] ICMPv6 Traffic over IPv4 || url,wiki.quadrantsec.com/bin/view/Main/6101628 6101629 || [CISCO-SDEE] ICMP Traffic over IPv6 || url,wiki.quadrantsec.com/bin/view/Main/6101629 6101630 || [CISCO-SDEE] ICMPv6 Packet Too Big || url,wiki.quadrantsec.com/bin/view/Main/6101630 6101631 || [CISCO-SDEE] Microsoft .NET Framework Reflection Bypass Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101631 6101632 || [CISCO-SDEE] Unix CUPS HTTP GET Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6101632 6101635 || [CISCO-SDEE] Bootpd 2.4.3 Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101635 6101636 || [CISCO-SDEE] Mozilla Firefox 1.0.7 InstallTrigger.Install Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101636 6101637 || [CISCO-SDEE] Mozilla Firefox Javascript Engine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101637 6101638 || [CISCO-SDEE] Mozilla Firefox CSS Layout Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101638 6101641 || [CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101641 6101642 || [CISCO-SDEE] Windows Kernel-Mode Driver Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101642 6101643 || [CISCO-SDEE] Apple Safari Out of Bounds Access Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101643 6101646 || [CISCO-SDEE] Metasploit Java Applet Payload Creation || url,wiki.quadrantsec.com/bin/view/Main/6101646 6101653 || [CISCO-SDEE] Novell GroupWise Internet Agent RRULE Weekday Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101653 6101654 || [CISCO-SDEE] PNG Embedded File Type || url,wiki.quadrantsec.com/bin/view/Main/6101654 6101664 || [CISCO-SDEE] Adobe Flash Player ActionScript callMethod Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101664 6101671 || [CISCO-SDEE] Oracle Secure Backup Server Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101671 6101681 || [CISCO-SDEE] Microsoft Windows Open Type Font Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101681 6101683 || [CISCO-SDEE] Microsoft IE Improper Ref Counting Use After Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101683 6101693 || [CISCO-SDEE] GXV-3000 SIP Phone Eavesdropping Exploit || url,wiki.quadrantsec.com/bin/view/Main/6101693 6101694 || [CISCO-SDEE] Xitami Web Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101694 6101695 || [CISCO-SDEE] Rlogin Root Access || url,wiki.quadrantsec.com/bin/view/Main/6101695 6101696 || [CISCO-SDEE] Rlogin Guest Access || url,wiki.quadrantsec.com/bin/view/Main/6101696 6101697 || [CISCO-SDEE] Rlogin Nobody Access || url,wiki.quadrantsec.com/bin/view/Main/6101697 6101700 || [CISCO-SDEE] IPv6 Hop-by-Hop Options Present || url,wiki.quadrantsec.com/bin/view/Main/6101700 6101702 || [CISCO-SDEE] IPv6 Routing Header Present || url,wiki.quadrantsec.com/bin/view/Main/6101702 6101703 || [CISCO-SDEE] IPv6 Fragmented Traffic || url,wiki.quadrantsec.com/bin/view/Main/6101703 6101704 || [CISCO-SDEE] IPv6 Authentication Header Present || url,wiki.quadrantsec.com/bin/view/Main/6101704 6101705 || [CISCO-SDEE] IPv6 ESP Header Present || url,wiki.quadrantsec.com/bin/view/Main/6101705 6101706 || [CISCO-SDEE] Invalid IPv6 Header Traffic Class Field || url,wiki.quadrantsec.com/bin/view/Main/6101706 6101707 || [CISCO-SDEE] Invalid IPv6 Header Flow Label Field || url,wiki.quadrantsec.com/bin/view/Main/6101707 6101708 || [CISCO-SDEE] IPv6 Header Contains An Invalid Address || url,wiki.quadrantsec.com/bin/view/Main/6101708 6101709 || [CISCO-SDEE] Microsoft Office Word RTF Document Processing Arbitrary Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101709 6101710 || [CISCO-SDEE] IPv6 Extensions Headers Out Of Order || url,wiki.quadrantsec.com/bin/view/Main/6101710 6101711 || [CISCO-SDEE] Duplicate IPv6 Extension Headers || url,wiki.quadrantsec.com/bin/view/Main/6101711 6101712 || [CISCO-SDEE] IPv6 Packet Contains Duplicate Src And Dst Address || url,wiki.quadrantsec.com/bin/view/Main/6101712 6101713 || [CISCO-SDEE] IPv6 Header Contains Multicast Source Address || url,wiki.quadrantsec.com/bin/view/Main/6101713 6101714 || [CISCO-SDEE] IPv6 Address Set To localhost || url,wiki.quadrantsec.com/bin/view/Main/6101714 6101716 || [CISCO-SDEE] IPv6 Options Padding Too Long || url,wiki.quadrantsec.com/bin/view/Main/6101716 6101717 || [CISCO-SDEE] Back To Back Padding Options || url,wiki.quadrantsec.com/bin/view/Main/6101717 6101718 || [CISCO-SDEE] IPv6 Option Data Too Short || url,wiki.quadrantsec.com/bin/view/Main/6101718 6101719 || [CISCO-SDEE] IPv6 Endpoint Identification Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101719 6101720 || [CISCO-SDEE] IPv6 Jumbo Payload Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101720 6101721 || [CISCO-SDEE] IPv6 Router Alert Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101721 6101722 || [CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101722 6101723 || [CISCO-SDEE] IPv6 Packet Contains Unassigned Options || url,wiki.quadrantsec.com/bin/view/Main/6101723 6101724 || [CISCO-SDEE] IPv6 Endpoint Identification Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101724 6101725 || [CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101725 6101726 || [CISCO-SDEE] IPv6 Invalid Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101726 6101727 || [CISCO-SDEE] IPv6 Router Alert Option Set || url,wiki.quadrantsec.com/bin/view/Main/6101727 6101728 || [CISCO-SDEE] IPv6 Routing Header Type 0 || url,wiki.quadrantsec.com/bin/view/Main/6101728 6101729 || [CISCO-SDEE] Telnet Failure Log XSS || url,wiki.quadrantsec.com/bin/view/Main/6101729 6101730 || [CISCO-SDEE] IPv6 Type 1 Routing Header || url,wiki.quadrantsec.com/bin/view/Main/6101730 6101731 || [CISCO-SDEE] IPv6 Type 2 Routing Header || url,wiki.quadrantsec.com/bin/view/Main/6101731 6101732 || [CISCO-SDEE] IPv6 Routing Header Type Unknown Type || url,wiki.quadrantsec.com/bin/view/Main/6101732 6101733 || [CISCO-SDEE] Invalid IPv6 Routing Header Length || url,wiki.quadrantsec.com/bin/view/Main/6101733 6101734 || [CISCO-SDEE] IPv6 Routing Header Incomplete || url,wiki.quadrantsec.com/bin/view/Main/6101734 6101735 || [CISCO-SDEE] IPv6 Routing Header Contains Invalid IP Address || url,wiki.quadrantsec.com/bin/view/Main/6101735 6101736 || [CISCO-SDEE] IPv6 Routing Header Contains A Loop || url,wiki.quadrantsec.com/bin/view/Main/6101736 6101737 || [CISCO-SDEE] IPv6 Routing Header Reserved Bits Set || url,wiki.quadrantsec.com/bin/view/Main/6101737 6101738 || [CISCO-SDEE] IPv6 Unnecessary Fragment Header || url,wiki.quadrantsec.com/bin/view/Main/6101738 6101739 || [CISCO-SDEE] IPv6 Illegal Fragmentation || url,wiki.quadrantsec.com/bin/view/Main/6101739 6101740 || [CISCO-SDEE] Small IPv6 Fragments || url,wiki.quadrantsec.com/bin/view/Main/6101740 6101741 || [CISCO-SDEE] IPv6 Fragment Header Reserved Bits Set || url,wiki.quadrantsec.com/bin/view/Main/6101741 6101742 || [CISCO-SDEE] IPv6 No Next Header Option Present || url,wiki.quadrantsec.com/bin/view/Main/6101742 6101743 || [CISCO-SDEE] PHP phpinfo() Cross-Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101743 6101747 || [CISCO-SDEE] MySQL Database Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6101747 6101749 || [CISCO-SDEE] Peercast Basic Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101749 6101755 || [CISCO-SDEE] PHP zip URL Wrapper Buffer Overflow (HTTP) || url,wiki.quadrantsec.com/bin/view/Main/6101755 6101756 || [CISCO-SDEE] Axigen POP3 Server Remote Format String Attack || url,wiki.quadrantsec.com/bin/view/Main/6101756 6101758 || [CISCO-SDEE] VLC HTTPD Format String Bug || url,wiki.quadrantsec.com/bin/view/Main/6101758 6101760 || [CISCO-SDEE] Sun Solaris RWall Daemon Syslog Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101760 6101761 || [CISCO-SDEE] PHP Post File Upload Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101761 6101762 || [CISCO-SDEE] Modbus TCP - Value Scan || url,wiki.quadrantsec.com/bin/view/Main/6101762 6101773 || [CISCO-SDEE] Synergy Clipboard Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101773 6101774 || [CISCO-SDEE] iPlanet Web Admin Server Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6101774 6101775 || [CISCO-SDEE] Netware Client Service Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101775 6101777 || [CISCO-SDEE] Microsoft IIS 4.0 Information Leaking Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101777 6101778 || [CISCO-SDEE] Microsoft IIS 4.0 Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101778 6101780 || [CISCO-SDEE] CVS Server Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101780 6101781 || [CISCO-SDEE] Nimda Worm TFTP Request || url,wiki.quadrantsec.com/bin/view/Main/6101781 6101786 || [CISCO-SDEE] Computer Associates Total Defense Suite UNCWS SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6101786 6101787 || [CISCO-SDEE] Oracle Java Remote Compiler Option Loading || url,wiki.quadrantsec.com/bin/view/Main/6101787 6101789 || [CISCO-SDEE] Tom Sawyer GET Extension Factory ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101789 6101790 || [CISCO-SDEE] Microsoft System Center Operations Manager Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6101790 6101791 || [CISCO-SDEE] HeapLib Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6101791 6101792 || [CISCO-SDEE] Internet Explorer CButton User After Free || url,wiki.quadrantsec.com/bin/view/Main/6101792 6101793 || [CISCO-SDEE] Microsoft .NET Framework OData Services Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101793 6101794 || [CISCO-SDEE] Microsoft XML Core Services Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101794 6101799 || [CISCO-SDEE] Citrix Streamprocess Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101799 6101801 || [CISCO-SDEE] RealNetworks RealPlayer URL Parsing Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101801 6101802 || [CISCO-SDEE] Ruby on Rails Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101802 6101803 || [CISCO-SDEE] Microsoft Exchange iCal DoS || url,wiki.quadrantsec.com/bin/view/Main/6101803 6101804 || [CISCO-SDEE] Java 1.7 Update 10 Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101804 6101807 || [CISCO-SDEE] Cisco ASA 1000v Cloud Firewall H.323 Inspection Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101807 6101813 || [CISCO-SDEE] Oracle Java Applet Rhino Script Engine Policy Bypass || url,wiki.quadrantsec.com/bin/view/Main/6101813 6101814 || [CISCO-SDEE] x.509 Certificate NULL Byte Name Insertion || url,wiki.quadrantsec.com/bin/view/Main/6101814 6101815 || [CISCO-SDEE] x.509 Certificate Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101815 6101819 || [CISCO-SDEE] IOS IPSLA DoS || url,wiki.quadrantsec.com/bin/view/Main/6101819 6101820 || [CISCO-SDEE] Quest Software Big Brother Arbitrary File Deletion and Overwriting || url,wiki.quadrantsec.com/bin/view/Main/6101820 6101822 || [CISCO-SDEE] Squid Gopher Parsing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101822 6101823 || [CISCO-SDEE] CUPS GIF Parsing Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101823 6101831 || [CISCO-SDEE] Microsoft .NET XML Signature Syntax and Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101831 6101833 || [CISCO-SDEE] Citrix XenApp And XenDesktop XML Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101833 6101835 || [CISCO-SDEE] Sunway ForceControl SNMP NetDBServer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101835 6101836 || [CISCO-SDEE] HP JetDirect PJL Interface Universal Path Traversal || url,wiki.quadrantsec.com/bin/view/Main/6101836 6101837 || [CISCO-SDEE] HTML5 Heap Spray || url,wiki.quadrantsec.com/bin/view/Main/6101837 6101838 || [CISCO-SDEE] Wibu-Systems WibuKey Runtime for Windows ActiveX Control Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101838 6101850 || [CISCO-SDEE] Novell eDirectory LDAP Null Search Parameter Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101850 6101851 || [CISCO-SDEE] Portable SDK for UPnP Devices Buffer Overflow Vulnerabilities || url,wiki.quadrantsec.com/bin/view/Main/6101851 6101853 || [CISCO-SDEE] Ruby On Rails Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101853 6101855 || [CISCO-SDEE] Novell Netware XNFS.NLM Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101855 6101857 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101857 6101858 || [CISCO-SDEE] HP OmniInet.exe Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101858 6101862 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101862 6101863 || [CISCO-SDEE] Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101863 6101864 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101864 6101865 || [CISCO-SDEE] Novell GroupWise Internet Agent Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101865 6101866 || [CISCO-SDEE] Mozilla Firefox DOM Insertions Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101866 6101867 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101867 6101868 || [CISCO-SDEE] Microsoft Vector Markup Language Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101868 6101873 || [CISCO-SDEE] Cisco ATA 187 Remote Access Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101873 6101874 || [CISCO-SDEE] VoipNow Professional Nsextt Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101874 6101877 || [CISCO-SDEE] WebERP Local File Include Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101877 6101878 || [CISCO-SDEE] Sun Java Web Console Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101878 6101880 || [CISCO-SDEE] Elefant CMS ID Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101880 6101881 || [CISCO-SDEE] D-Link DSL-2640B Redpass.Cgi Cross Site Request Forgery Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101881 6101882 || [CISCO-SDEE] Mozilla Firefox Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101882 6101883 || [CISCO-SDEE] JW Player Logo.Link Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101883 6101885 || [CISCO-SDEE] WordPress Count Per Day Plugin Datemin Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101885 6101886 || [CISCO-SDEE] WordPress Wp-ImageZoom File Parameter Remote File Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101886 6101892 || [CISCO-SDEE] InduSoft Web Studio Unauthenticated Insecure Remote Operations || url,wiki.quadrantsec.com/bin/view/Main/6101892 6101894 || [CISCO-SDEE] Bitweaver Highlight Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101894 6101895 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101895 6101896 || [CISCO-SDEE] XAMPP Cds.Php Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101896 6101898 || [CISCO-SDEE] Nagios XI VisApi.Php Div Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101898 6101899 || [CISCO-SDEE] MGB Guestbook Index.Php Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101899 6101900 || [CISCO-SDEE] WordPress Church_Admin Id Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101900 6101904 || [CISCO-SDEE] JW Player Playerready Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101904 6101908 || [CISCO-SDEE] Sophos E-Mail Security Virtual Appliance Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101908 6101909 || [CISCO-SDEE] KindEditor Name Parameter Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101909 6101911 || [CISCO-SDEE] WordPress Rich Widget Plugin Arbitrary File Upload Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101911 6101914 || [CISCO-SDEE] Zenoss ViewDaemonLog Daemon Arbitrary Log File Access Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101914 6101920 || [CISCO-SDEE] HP Application Lifecycle Management XGO.ocx Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101920 6101922 || [CISCO-SDEE] ManageEngine Support Center Plus Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101922 6101924 || [CISCO-SDEE] SilverStripe BackURL Parameter URI Redirection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101924 6101925 || [CISCO-SDEE] Symphony CMS BluePRINTs URI SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6101925 6101926 || [CISCO-SDEE] WordPress ABC Test Plugin Id Parameter XSS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101926 6101927 || [CISCO-SDEE] WordPress Crayon Syntax Highlighter Wp_load Remote File Include || url,wiki.quadrantsec.com/bin/view/Main/6101927 6101928 || [CISCO-SDEE] Lattice Semiconductor Diamond Programmer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101928 6101929 || [CISCO-SDEE] Mcrypt Check File Head Stack Based Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101929 6101930 || [CISCO-SDEE] WordPress Cross Site Request Forgery Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101930 6101931 || [CISCO-SDEE] WordPress Newsletter Preview.php File Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101931 6101933 || [CISCO-SDEE] DocXP Fid Parameter Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101933 6101937 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101937 6101938 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101938 6101939 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101939 6101940 || [CISCO-SDEE] Microsoft Internet Explore Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101940 6101941 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101941 6101942 || [CISCO-SDEE] Microsoft Internet Explorer Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6101942 6101944 || [CISCO-SDEE] Oracle Outside In CorelDRAW File Parser Heap Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6101944 6101945 || [CISCO-SDEE] Trend Micro Control Manager Cross Site Request Forgery || url,wiki.quadrantsec.com/bin/view/Main/6101945 6101946 || [CISCO-SDEE] Apple Safari WebKit SVG Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101946 6101947 || [CISCO-SDEE] Adobe Flash Player Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101947 6101949 || [CISCO-SDEE] Internet Explorer Cloned DOM Object Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101949 6101950 || [CISCO-SDEE] Adobe Flash Player Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101950 6101958 || [CISCO-SDEE] Apache DoS || url,wiki.quadrantsec.com/bin/view/Main/6101958 6101959 || [CISCO-SDEE] Apple Safari WebKit innerHTML Double Free Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101959 6101969 || [CISCO-SDEE] WINS Service Failed Response Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101969 6101972 || [CISCO-SDEE] Hewlett-Packard OpenView Network Node Manager Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101972 6101973 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101973 6101974 || [CISCO-SDEE] Novell GroupWise HTTP Interfaces Arbitrary File Retrieval || url,wiki.quadrantsec.com/bin/view/Main/6101974 6101975 || [CISCO-SDEE] APT1 SSL Certificate || url,wiki.quadrantsec.com/bin/view/Main/6101975 6101976 || [CISCO-SDEE] Cisco IOS Zone-based Firewall SIP Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6101976 6101977 || [CISCO-SDEE] Adobe Flash Player Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6101977 6101978 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101978 6101981 || [CISCO-SDEE] Microsoft Office Visio Viewer VSD File Type Confusion || url,wiki.quadrantsec.com/bin/view/Main/6101981 6101984 || [CISCO-SDEE] Microsoft Sharepoint XSS || url,wiki.quadrantsec.com/bin/view/Main/6101984 6101990 || [CISCO-SDEE] Microsoft Sharepoint XSS || url,wiki.quadrantsec.com/bin/view/Main/6101990 6101993 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6101993 6101997 || [CISCO-SDEE] Microsoft WKSSVC NetpManageIPCConnect Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101997 6101998 || [CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6101998 6102000 || [CISCO-SDEE] ICMP Echo Reply || url,wiki.quadrantsec.com/bin/view/Main/6102000 6102001 || [CISCO-SDEE] ICMP Host Unreachable || url,wiki.quadrantsec.com/bin/view/Main/6102001 6102002 || [CISCO-SDEE] ICMP Source Quench || url,wiki.quadrantsec.com/bin/view/Main/6102002 6102003 || [CISCO-SDEE] ICMP Redirect || url,wiki.quadrantsec.com/bin/view/Main/6102003 6102004 || [CISCO-SDEE] ICMP Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6102004 6102005 || [CISCO-SDEE] ICMP Time Exceeded for a Datagram || url,wiki.quadrantsec.com/bin/view/Main/6102005 6102006 || [CISCO-SDEE] ICMP Parameter Problem on Datagram || url,wiki.quadrantsec.com/bin/view/Main/6102006 6102007 || [CISCO-SDEE] ICMP Timestamp Request || url,wiki.quadrantsec.com/bin/view/Main/6102007 6102008 || [CISCO-SDEE] ICMP Timestamp Reply || url,wiki.quadrantsec.com/bin/view/Main/6102008 6102009 || [CISCO-SDEE] ICMP Information Request || url,wiki.quadrantsec.com/bin/view/Main/6102009 6102010 || [CISCO-SDEE] ICMP Information Reply || url,wiki.quadrantsec.com/bin/view/Main/6102010 6102012 || [CISCO-SDEE] ICMP Address Mask Reply || url,wiki.quadrantsec.com/bin/view/Main/6102012 6102019 || [CISCO-SDEE] 7T IGSS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6102019 6102021 || [CISCO-SDEE] Microsoft Windows SMB PIPE Remote Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102021 6102023 || [CISCO-SDEE] Schneider Electric Accutech Manager HTTP Request Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6102023 6102024 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102024 6102030 || [CISCO-SDEE] Microsoft Internet Explorer CCaret Use-After-Free Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102030 6102034 || [CISCO-SDEE] Microsoft OneNote Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6102034 6102036 || [CISCO-SDEE] Microsoft SharePoint Elevation of Privilege || url,wiki.quadrantsec.com/bin/view/Main/6102036 6102038 || [CISCO-SDEE] Microsoft Internet Explorer Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6102038 6102039 || [CISCO-SDEE] Internet Explorer 8 Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6102039 6102100 || [CISCO-SDEE] ICMP Network Sweep With Echo || url,wiki.quadrantsec.com/bin/view/Main/6102100 6102101 || [CISCO-SDEE] ICMP Network Sweep w/Timestamp || url,wiki.quadrantsec.com/bin/view/Main/6102101 6102102 || [CISCO-SDEE] ICMP Network Sweep w/Address Mask || url,wiki.quadrantsec.com/bin/view/Main/6102102 6102150 || [CISCO-SDEE] Fragmented ICMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6102150 6102151 || [CISCO-SDEE] Large ICMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6102151 6102152 || [CISCO-SDEE] ICMP Flood || url,wiki.quadrantsec.com/bin/view/Main/6102152 6102153 || [CISCO-SDEE] ICMP Smurf Attack || url,wiki.quadrantsec.com/bin/view/Main/6102153 6102154 || [CISCO-SDEE] Ping of Death Attack || url,wiki.quadrantsec.com/bin/view/Main/6102154 6102155 || [CISCO-SDEE] Modem DoS || url,wiki.quadrantsec.com/bin/view/Main/6102155 6102156 || [CISCO-SDEE] Nachi Worm ICMP Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6102156 6102157 || [CISCO-SDEE] ICMP Hard Error DoS || url,wiki.quadrantsec.com/bin/view/Main/6102157 6102158 || [CISCO-SDEE] Nachi Worm ICMP Echo Request || url,wiki.quadrantsec.com/bin/view/Main/6102158 6102159 || [CISCO-SDEE] ICMP Destination Unreachable Protocol Unreachable || url,wiki.quadrantsec.com/bin/view/Main/6102159 6102200 || [CISCO-SDEE] Invalid IGMP Header DoS || url,wiki.quadrantsec.com/bin/view/Main/6102200 6102201 || [CISCO-SDEE] IGMP over fragmented IP || url,wiki.quadrantsec.com/bin/view/Main/6102201 6102202 || [CISCO-SDEE] IGMP Invalid Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6102202 6103001 || [CISCO-SDEE] TCP Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103001 6103002 || [CISCO-SDEE] TCP SYN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103002 6103003 || [CISCO-SDEE] TCP Frag SYN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103003 6103005 || [CISCO-SDEE] TCP FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103005 6103006 || [CISCO-SDEE] TCP Frag FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103006 6103010 || [CISCO-SDEE] TCP High Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103010 6103011 || [CISCO-SDEE] TCP FIN High Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103011 6103012 || [CISCO-SDEE] TCP Frag FIN High Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103012 6103015 || [CISCO-SDEE] TCP Null Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103015 6103016 || [CISCO-SDEE] TCP Frag Null Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103016 6103020 || [CISCO-SDEE] TCP SYN FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103020 6103021 || [CISCO-SDEE] TCP Frag SYN FIN Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103021 6103030 || [CISCO-SDEE] TCP SYN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103030 6103031 || [CISCO-SDEE] TCP FRAG SYN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103031 6103032 || [CISCO-SDEE] TCP FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103032 6103033 || [CISCO-SDEE] TCP FRAG FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103033 6103034 || [CISCO-SDEE] TCP NULL Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103034 6103035 || [CISCO-SDEE] TCP FRAG NULL Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103035 6103036 || [CISCO-SDEE] TCP SYN FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103036 6103037 || [CISCO-SDEE] TCP FRAG SYN FIN Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103037 6103038 || [CISCO-SDEE] Fragmented NULL TCP Packet || url,wiki.quadrantsec.com/bin/view/Main/6103038 6103039 || [CISCO-SDEE] Fragmented Orphaned FIN packet || url,wiki.quadrantsec.com/bin/view/Main/6103039 6103040 || [CISCO-SDEE] TCP NULL Packet || url,wiki.quadrantsec.com/bin/view/Main/6103040 6103041 || [CISCO-SDEE] TCP SYN/FIN Packet || url,wiki.quadrantsec.com/bin/view/Main/6103041 6103042 || [CISCO-SDEE] Orphaned Fin Packet || url,wiki.quadrantsec.com/bin/view/Main/6103042 6103043 || [CISCO-SDEE] Fragmented SYN/FIN Packet || url,wiki.quadrantsec.com/bin/view/Main/6103043 6103045 || [CISCO-SDEE] Queso Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103045 6103046 || [CISCO-SDEE] NMAP OS Fingerprint || url,wiki.quadrantsec.com/bin/view/Main/6103046 6103050 || [CISCO-SDEE] Half-open SYN Attack || url,wiki.quadrantsec.com/bin/view/Main/6103050 6103051 || [CISCO-SDEE] TCP Connection Window Size RST DoS || url,wiki.quadrantsec.com/bin/view/Main/6103051 6103052 || [CISCO-SDEE] UPNP Service Host Sweep || url,wiki.quadrantsec.com/bin/view/Main/6103052 6103100 || [CISCO-SDEE] SMTP RCPT TO: Bounce || url,wiki.quadrantsec.com/bin/view/Main/6103100 6103101 || [CISCO-SDEE] Sendmail Invalid Recipient || url,wiki.quadrantsec.com/bin/view/Main/6103101 6103102 || [CISCO-SDEE] Sendmail Invalid Sender || url,wiki.quadrantsec.com/bin/view/Main/6103102 6103103 || [CISCO-SDEE] Sendmail Reconnaissance || url,wiki.quadrantsec.com/bin/view/Main/6103103 6103104 || [CISCO-SDEE] Archaic Sendmail Attacks || url,wiki.quadrantsec.com/bin/view/Main/6103104 6103105 || [CISCO-SDEE] Sendmail Decode Alias || url,wiki.quadrantsec.com/bin/view/Main/6103105 6103106 || [CISCO-SDEE] Mail Spam || url,wiki.quadrantsec.com/bin/view/Main/6103106 6103107 || [CISCO-SDEE] Majordomo Execute Attack || url,wiki.quadrantsec.com/bin/view/Main/6103107 6103108 || [CISCO-SDEE] SMTP MIME Content Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103108 6103109 || [CISCO-SDEE] Long SMTP Command || url,wiki.quadrantsec.com/bin/view/Main/6103109 6103110 || [CISCO-SDEE] Suspicious Mail Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103110 6103111 || [CISCO-SDEE] W32 Sircam Malicious Code || url,wiki.quadrantsec.com/bin/view/Main/6103111 6103112 || [CISCO-SDEE] Lotus Domino Mail Loop DoS || url,wiki.quadrantsec.com/bin/view/Main/6103112 6103113 || [CISCO-SDEE] Email Attachment with Malicious Payload || url,wiki.quadrantsec.com/bin/view/Main/6103113 6103114 || [CISCO-SDEE] FetchMail Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6103114 6103115 || [CISCO-SDEE] Sendmail Data Header Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103115 6103116 || [CISCO-SDEE] Netbus || url,wiki.quadrantsec.com/bin/view/Main/6103116 6103117 || [CISCO-SDEE] KLEZ Worm || url,wiki.quadrantsec.com/bin/view/Main/6103117 6103118 || [CISCO-SDEE] rwhoisd format string || url,wiki.quadrantsec.com/bin/view/Main/6103118 6103119 || [CISCO-SDEE] WS_FTP STAT Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103119 6103120 || [CISCO-SDEE] ANTS Virus || url,wiki.quadrantsec.com/bin/view/Main/6103120 6103121 || [CISCO-SDEE] Vintra MailServer EXPN DoS || url,wiki.quadrantsec.com/bin/view/Main/6103121 6103122 || [CISCO-SDEE] SMTP EXPN root Recon || url,wiki.quadrantsec.com/bin/view/Main/6103122 6103123 || [CISCO-SDEE] NetBus Pro Traffic || url,wiki.quadrantsec.com/bin/view/Main/6103123 6103124 || [CISCO-SDEE] Sendmail prescan Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6103124 6103125 || [CISCO-SDEE] Postfix 1.1.12 envelope address DoS || url,wiki.quadrantsec.com/bin/view/Main/6103125 6103126 || [CISCO-SDEE] Postfix bounce scan || url,wiki.quadrantsec.com/bin/view/Main/6103126 6103127 || [CISCO-SDEE] SMTP AUTH Brute Force Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103127 6103128 || [CISCO-SDEE] Exchange xexch50 overflow || url,wiki.quadrantsec.com/bin/view/Main/6103128 6103129 || [CISCO-SDEE] Mimail Virus C Variant File Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103129 6103130 || [CISCO-SDEE] Mimail Virus I Variant File Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103130 6103131 || [CISCO-SDEE] Mimail Virus L Variant File Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103131 6103132 || [CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103132 6103133 || [CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment Variant B || url,wiki.quadrantsec.com/bin/view/Main/6103133 6103134 || [CISCO-SDEE] DoomJuice Worm network probe || url,wiki.quadrantsec.com/bin/view/Main/6103134 6103135 || [CISCO-SDEE] MyDoom Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103135 6103136 || [CISCO-SDEE] Netsky Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103136 6103137 || [CISCO-SDEE] Sober Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103137 6103138 || [CISCO-SDEE] Bagle.C Virus Email Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103138 6103139 || [CISCO-SDEE] Bagle.E Virus Email Attachment || url,wiki.quadrantsec.com/bin/view/Main/6103139 6103140 || [CISCO-SDEE] Bagle Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6103140 6103141 || [CISCO-SDEE] Lovgate Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103141 6103142 || [CISCO-SDEE] Sasser Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103142 6103143 || [CISCO-SDEE] BERBEW Trojan Activity || url,wiki.quadrantsec.com/bin/view/Main/6103143 6103144 || [CISCO-SDEE] Ratos Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103144 6103145 || [CISCO-SDEE] ZAFI Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103145 6103146 || [CISCO-SDEE] Bropia Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6103146 6103150 || [CISCO-SDEE] FTP Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103150 6103151 || [CISCO-SDEE] FTP SYST Command Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103151 6103152 || [CISCO-SDEE] FTP CWD ~root || url,wiki.quadrantsec.com/bin/view/Main/6103152 6103153 || [CISCO-SDEE] FTP Improper Address Specified || url,wiki.quadrantsec.com/bin/view/Main/6103153 6103154 || [CISCO-SDEE] FTP Improper Port Specified || url,wiki.quadrantsec.com/bin/view/Main/6103154 6103155 || [CISCO-SDEE] FTP RETR Pipe Filename Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103155 6103156 || [CISCO-SDEE] FTP STOR Pipe Filename Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103156 6103157 || [CISCO-SDEE] FTP PASV Port Spoof || url,wiki.quadrantsec.com/bin/view/Main/6103157 6103158 || [CISCO-SDEE] FTP SITE EXEC Format String || url,wiki.quadrantsec.com/bin/view/Main/6103158 6103159 || [CISCO-SDEE] FTP PASS Suspicious Length || url,wiki.quadrantsec.com/bin/view/Main/6103159 6103160 || [CISCO-SDEE] Cesar FTP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103160 6103161 || [CISCO-SDEE] FTP realpath Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103161 6103162 || [CISCO-SDEE] glFtpD LIST DoS || url,wiki.quadrantsec.com/bin/view/Main/6103162 6103163 || [CISCO-SDEE] WU-FTPD Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6103163 6103164 || [CISCO-SDEE] Instant Server Mini Portal Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103164 6103165 || [CISCO-SDEE] FTP SITE EXEC || url,wiki.quadrantsec.com/bin/view/Main/6103165 6103166 || [CISCO-SDEE] FTP USER Suspicious Length || url,wiki.quadrantsec.com/bin/view/Main/6103166 6103167 || [CISCO-SDEE] Format String in FTP username || url,wiki.quadrantsec.com/bin/view/Main/6103167 6103168 || [CISCO-SDEE] FTP SITE EXEC Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103168 6103169 || [CISCO-SDEE] FTP SITE EXEC tar || url,wiki.quadrantsec.com/bin/view/Main/6103169 6103170 || [CISCO-SDEE] WS_FTP SITE CPWD Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103170 6103171 || [CISCO-SDEE] FTP Priviledged Login || url,wiki.quadrantsec.com/bin/view/Main/6103171 6103172 || [CISCO-SDEE] Ftp Cwd Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103172 6103173 || [CISCO-SDEE] Long FTP Command || url,wiki.quadrantsec.com/bin/view/Main/6103173 6103175 || [CISCO-SDEE] ProFTPD STAT DoS || url,wiki.quadrantsec.com/bin/view/Main/6103175 6103177 || [CISCO-SDEE] Long MDTM Command || url,wiki.quadrantsec.com/bin/view/Main/6103177 6103178 || [CISCO-SDEE] Denial Of Service in Microsoft SMS Client || url,wiki.quadrantsec.com/bin/view/Main/6103178 6103179 || [CISCO-SDEE] ftpdchk DOS || url,wiki.quadrantsec.com/bin/view/Main/6103179 6103180 || [CISCO-SDEE] BakBone NetVault Remote Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103180 6103181 || [CISCO-SDEE] dSMTP Mail Server Format String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103181 6103200 || [CISCO-SDEE] WWW Phf Attack || url,wiki.quadrantsec.com/bin/view/Main/6103200 6103202 || [CISCO-SDEE] WWW .url File Requested || url,wiki.quadrantsec.com/bin/view/Main/6103202 6103203 || [CISCO-SDEE] WWW .lnk File Requested || url,wiki.quadrantsec.com/bin/view/Main/6103203 6103204 || [CISCO-SDEE] WWW .bat File Requested || url,wiki.quadrantsec.com/bin/view/Main/6103204 6103205 || [CISCO-SDEE] HTML File Has .url Link || url,wiki.quadrantsec.com/bin/view/Main/6103205 6103206 || [CISCO-SDEE] HTML File Has .lnk Link || url,wiki.quadrantsec.com/bin/view/Main/6103206 6103207 || [CISCO-SDEE] HTML File Has .bat Link || url,wiki.quadrantsec.com/bin/view/Main/6103207 6103208 || [CISCO-SDEE] WWW Campas Attack || url,wiki.quadrantsec.com/bin/view/Main/6103208 6103209 || [CISCO-SDEE] WWW Glimpse Server Attack || url,wiki.quadrantsec.com/bin/view/Main/6103209 6103210 || [CISCO-SDEE] WWW IIS View Source Attack || url,wiki.quadrantsec.com/bin/view/Main/6103210 6103211 || [CISCO-SDEE] WWW IIS Hex View Source Attack || url,wiki.quadrantsec.com/bin/view/Main/6103211 6103212 || [CISCO-SDEE] WWW NPH-TEST-CGI Attack || url,wiki.quadrantsec.com/bin/view/Main/6103212 6103213 || [CISCO-SDEE] WWW TEST-CGI Attack || url,wiki.quadrantsec.com/bin/view/Main/6103213 6103214 || [CISCO-SDEE] IIS DOT DOT VIEW Attack || url,wiki.quadrantsec.com/bin/view/Main/6103214 6103215 || [CISCO-SDEE] IIS DOT DOT EXECUTE Attack || url,wiki.quadrantsec.com/bin/view/Main/6103215 6103216 || [CISCO-SDEE] WWW Directory Traversal ../.. || url,wiki.quadrantsec.com/bin/view/Main/6103216 6103217 || [CISCO-SDEE] WWW php View File Attack || url,wiki.quadrantsec.com/bin/view/Main/6103217 6103218 || [CISCO-SDEE] WWW SGI Wrap Attack || url,wiki.quadrantsec.com/bin/view/Main/6103218 6103219 || [CISCO-SDEE] WWW PHP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103219 6103220 || [CISCO-SDEE] IIS Long URL Attack || url,wiki.quadrantsec.com/bin/view/Main/6103220 6103221 || [CISCO-SDEE] WWW CGI-Viewsource Attack || url,wiki.quadrantsec.com/bin/view/Main/6103221 6103222 || [CISCO-SDEE] WWW PHP Log Scripts Read Attack || url,wiki.quadrantsec.com/bin/view/Main/6103222 6103223 || [CISCO-SDEE] WWW IRIX cgi-handler Attack || url,wiki.quadrantsec.com/bin/view/Main/6103223 6103224 || [CISCO-SDEE] HTTP WebGais || url,wiki.quadrantsec.com/bin/view/Main/6103224 6103225 || [CISCO-SDEE] WWW websendmail File Access || url,wiki.quadrantsec.com/bin/view/Main/6103225 6103226 || [CISCO-SDEE] WWW Webdist Bug || url,wiki.quadrantsec.com/bin/view/Main/6103226 6103227 || [CISCO-SDEE] WWW Htmlscript Bug || url,wiki.quadrantsec.com/bin/view/Main/6103227 6103228 || [CISCO-SDEE] WWW Performer Attack || url,wiki.quadrantsec.com/bin/view/Main/6103228 6103229 || [CISCO-SDEE] Website Win-C-Sample Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103229 6103230 || [CISCO-SDEE] Website Uploader || url,wiki.quadrantsec.com/bin/view/Main/6103230 6103231 || [CISCO-SDEE] Novell Convert Attack || url,wiki.quadrantsec.com/bin/view/Main/6103231 6103232 || [CISCO-SDEE] WWW finger attempt || url,wiki.quadrantsec.com/bin/view/Main/6103232 6103233 || [CISCO-SDEE] WWW count-cgi Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103233 6103234 || [CISCO-SDEE] IE Local Trusted Resource Execution || url,wiki.quadrantsec.com/bin/view/Main/6103234 6103235 || [CISCO-SDEE] showHelp CHM File Execution Weakness || url,wiki.quadrantsec.com/bin/view/Main/6103235 6103236 || [CISCO-SDEE] IIS Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6103236 6103250 || [CISCO-SDEE] TCP Hijack || url,wiki.quadrantsec.com/bin/view/Main/6103250 6103251 || [CISCO-SDEE] TCP Hijack Simplex Mode || url,wiki.quadrantsec.com/bin/view/Main/6103251 6103252 || [CISCO-SDEE] Microsoft Agent ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6103252 6103253 || [CISCO-SDEE] HTTP Request Smuggling || url,wiki.quadrantsec.com/bin/view/Main/6103253 6103254 || [CISCO-SDEE] XML-RPC PHP Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103254 6103255 || [CISCO-SDEE] Apache Long HTTP Header DoS || url,wiki.quadrantsec.com/bin/view/Main/6103255 6103300 || [CISCO-SDEE] NetBIOS OOB Data || url,wiki.quadrantsec.com/bin/view/Main/6103300 6103301 || [CISCO-SDEE] NETBIOS Stat || url,wiki.quadrantsec.com/bin/view/Main/6103301 6103302 || [CISCO-SDEE] NBT NetBios Session Service Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6103302 6103303 || [CISCO-SDEE] SMB Login successful with Guest Privileges || url,wiki.quadrantsec.com/bin/view/Main/6103303 6103304 || [CISCO-SDEE] SMB NULL login attempt || url,wiki.quadrantsec.com/bin/view/Main/6103304 6103305 || [CISCO-SDEE] SMB 95 98 Password File Access || url,wiki.quadrantsec.com/bin/view/Main/6103305 6103306 || [CISCO-SDEE] SMB Remote Registry Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103306 6103307 || [CISCO-SDEE] Red Button || url,wiki.quadrantsec.com/bin/view/Main/6103307 6103308 || [CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103308 6103309 || [CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103309 6103310 || [CISCO-SDEE] Netbios Enum Share DoS || url,wiki.quadrantsec.com/bin/view/Main/6103310 6103311 || [CISCO-SDEE] SMB Remote SAM Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103311 6103312 || [CISCO-SDEE] SMB .eml email file remote access || url,wiki.quadrantsec.com/bin/view/Main/6103312 6103313 || [CISCO-SDEE] SMB Suspicious Password Usage || url,wiki.quadrantsec.com/bin/view/Main/6103313 6103314 || [CISCO-SDEE] Windows Locator Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103314 6103315 || [CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6103315 6103316 || [CISCO-SDEE] Project1 DOS || url,wiki.quadrantsec.com/bin/view/Main/6103316 6103317 || [CISCO-SDEE] LSASS DCE RPC Request || url,wiki.quadrantsec.com/bin/view/Main/6103317 6103318 || [CISCO-SDEE] DsRolerUpgradeDownlevelServer Request || url,wiki.quadrantsec.com/bin/view/Main/6103318 6103319 || [CISCO-SDEE] DCE RPC Request || url,wiki.quadrantsec.com/bin/view/Main/6103319 6103320 || [CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103320 6103321 || [CISCO-SDEE] SMB User Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6103321 6103322 || [CISCO-SDEE] SMB Windows Share Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6103322 6103323 || [CISCO-SDEE] SMB: RFPoison Attack || url,wiki.quadrantsec.com/bin/view/Main/6103323 6103324 || [CISCO-SDEE] SMB NIMDA Infected File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6103324 6103325 || [CISCO-SDEE] Samba call_trans2open Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103325 6103326 || [CISCO-SDEE] Windows Startup Folder Remote Access || url,wiki.quadrantsec.com/bin/view/Main/6103326 6103327 || [CISCO-SDEE] Windows RPC DCOM Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103327 6103328 || [CISCO-SDEE] Windows SMB RPC NoOp Sled || url,wiki.quadrantsec.com/bin/view/Main/6103328 6103329 || [CISCO-SDEE] Windows RPCSS Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103329 6103330 || [CISCO-SDEE] Windows RPCSS Overflow 2 || url,wiki.quadrantsec.com/bin/view/Main/6103330 6103331 || [CISCO-SDEE] UDP MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103331 6103332 || [CISCO-SDEE] TCP MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103332 6103333 || [CISCO-SDEE] SMB MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103333 6103334 || [CISCO-SDEE] Windows Workstation Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103334 6103335 || [CISCO-SDEE] Anig Worm File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6103335 6103336 || [CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103336 6103337 || [CISCO-SDEE] Windows RPC Race Condition Exploitation || url,wiki.quadrantsec.com/bin/view/Main/6103337 6103338 || [CISCO-SDEE] Windows LSASS RPC Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103338 6103339 || [CISCO-SDEE] Windows System32 Directory File Creation || url,wiki.quadrantsec.com/bin/view/Main/6103339 6103340 || [CISCO-SDEE] Windows Shell External Handler || url,wiki.quadrantsec.com/bin/view/Main/6103340 6103341 || [CISCO-SDEE] Metasploit Activity || url,wiki.quadrantsec.com/bin/view/Main/6103341 6103342 || [CISCO-SDEE] Windows NetDDE Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103342 6103343 || [CISCO-SDEE] Windows Account Locked || url,wiki.quadrantsec.com/bin/view/Main/6103343 6103344 || [CISCO-SDEE] Windows 2000 TCP RPC DoS || url,wiki.quadrantsec.com/bin/view/Main/6103344 6103345 || [CISCO-SDEE] RPC WinNuke || url,wiki.quadrantsec.com/bin/view/Main/6103345 6103346 || [CISCO-SDEE] Windows TSShutdn.exe Attempt || url,wiki.quadrantsec.com/bin/view/Main/6103346 6103347 || [CISCO-SDEE] Windows ASN.1 Library Bit String Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6103347 6103348 || [CISCO-SDEE] NetBIOS Disk Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103348 6103349 || [CISCO-SDEE] NetBIOS Date And Time Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103349 6103350 || [CISCO-SDEE] NetBIOS Transport Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103350 6103351 || [CISCO-SDEE] NetBIOS User Session Enumerations || url,wiki.quadrantsec.com/bin/view/Main/6103351 6103352 || [CISCO-SDEE] Samba Fragment Reassembly Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103352 6103353 || [CISCO-SDEE] SMB Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103353 6103356 || [CISCO-SDEE] Remote Registry Request DoS || url,wiki.quadrantsec.com/bin/view/Main/6103356 6103357 || [CISCO-SDEE] Invalid Netbios Name || url,wiki.quadrantsec.com/bin/view/Main/6103357 6103400 || [CISCO-SDEE] Sun Kill Telnet DoS || url,wiki.quadrantsec.com/bin/view/Main/6103400 6103401 || [CISCO-SDEE] Telnet-IFS Match || url,wiki.quadrantsec.com/bin/view/Main/6103401 6103402 || [CISCO-SDEE] BSD Telnet Daemon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103402 6103403 || [CISCO-SDEE] Telnet Excessive Environment Options || url,wiki.quadrantsec.com/bin/view/Main/6103403 6103404 || [CISCO-SDEE] SysV /bin/login Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103404 6103405 || [CISCO-SDEE] Avirt Gateway Proxy Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103405 6103406 || [CISCO-SDEE] Solaris TTYPROMPT Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103406 6103407 || [CISCO-SDEE] Telnet Client NEW ENVIRON Option Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103407 6103408 || [CISCO-SDEE] Telnet Client LINEMODE SLC Option Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103408 6103409 || [CISCO-SDEE] Telnet Over Non-standard Ports || url,wiki.quadrantsec.com/bin/view/Main/6103409 6103450 || [CISCO-SDEE] Finger Bomb || url,wiki.quadrantsec.com/bin/view/Main/6103450 6103451 || [CISCO-SDEE] BearShare Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103451 6103452 || [CISCO-SDEE] Gopherd Halidate Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103452 6103453 || [CISCO-SDEE] MS NetMeeting RDS DoS || url,wiki.quadrantsec.com/bin/view/Main/6103453 6103454 || [CISCO-SDEE] Check Point Firewall Information Leak || url,wiki.quadrantsec.com/bin/view/Main/6103454 6103455 || [CISCO-SDEE] Java Web Server Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6103455 6103456 || [CISCO-SDEE] Solaris in.fingerd Information Leak || url,wiki.quadrantsec.com/bin/view/Main/6103456 6103457 || [CISCO-SDEE] Finger root shell || url,wiki.quadrantsec.com/bin/view/Main/6103457 6103458 || [CISCO-SDEE] AIM game invite overflow || url,wiki.quadrantsec.com/bin/view/Main/6103458 6103459 || [CISCO-SDEE] ValiCert Forms.exe Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103459 6103461 || [CISCO-SDEE] Finger probe || url,wiki.quadrantsec.com/bin/view/Main/6103461 6103462 || [CISCO-SDEE] Finger Redirect || url,wiki.quadrantsec.com/bin/view/Main/6103462 6103463 || [CISCO-SDEE] Finger root || url,wiki.quadrantsec.com/bin/view/Main/6103463 6103464 || [CISCO-SDEE] File access in finger || url,wiki.quadrantsec.com/bin/view/Main/6103464 6103465 || [CISCO-SDEE] Finger Activity || url,wiki.quadrantsec.com/bin/view/Main/6103465 6103466 || [CISCO-SDEE] RAS/PPTP Malformed Control Packet DOS || url,wiki.quadrantsec.com/bin/view/Main/6103466 6103500 || [CISCO-SDEE] Rlogin -froot Attack || url,wiki.quadrantsec.com/bin/view/Main/6103500 6103501 || [CISCO-SDEE] Rlogin Long TERM Variable || url,wiki.quadrantsec.com/bin/view/Main/6103501 6103502 || [CISCO-SDEE] rlogin Activity || url,wiki.quadrantsec.com/bin/view/Main/6103502 6103525 || [CISCO-SDEE] IMAP Authenticate Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103525 6103526 || [CISCO-SDEE] Imap Login Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103526 6103527 || [CISCO-SDEE] UW imapd Overflows || url,wiki.quadrantsec.com/bin/view/Main/6103527 6103528 || [CISCO-SDEE] IPSwitch IMail DELETE Command Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103528 6103529 || [CISCO-SDEE] IMAP Long EXAMINE Command || url,wiki.quadrantsec.com/bin/view/Main/6103529 6103530 || [CISCO-SDEE] Cisco Secure ACS Oversized TACACS+ Attack || url,wiki.quadrantsec.com/bin/view/Main/6103530 6103531 || [CISCO-SDEE] Cisco IOS Telnet DoS || url,wiki.quadrantsec.com/bin/view/Main/6103531 6103532 || [CISCO-SDEE] Malformed BGP Open Message || url,wiki.quadrantsec.com/bin/view/Main/6103532 6103533 || [CISCO-SDEE] Cisco IOS Misformed BGP Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6103533 6103534 || [CISCO-SDEE] IMAP Long AUTHENTICATE Command || url,wiki.quadrantsec.com/bin/view/Main/6103534 6103537 || [CISCO-SDEE] MailEnable HTTP Authorization Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103537 6103540 || [CISCO-SDEE] Cisco Secure ACS CSAdmin Attack || url,wiki.quadrantsec.com/bin/view/Main/6103540 6103550 || [CISCO-SDEE] POP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103550 6103551 || [CISCO-SDEE] POP User Root || url,wiki.quadrantsec.com/bin/view/Main/6103551 6103575 || [CISCO-SDEE] INN Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103575 6103576 || [CISCO-SDEE] INN Control Message Exploit || url,wiki.quadrantsec.com/bin/view/Main/6103576 6103577 || [CISCO-SDEE] IMAP LOGIN Command Invalid Username || url,wiki.quadrantsec.com/bin/view/Main/6103577 6103578 || [CISCO-SDEE] IMAP Format String || url,wiki.quadrantsec.com/bin/view/Main/6103578 6103600 || [CISCO-SDEE] IOS Telnet Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103600 6103601 || [CISCO-SDEE] IOS Command History Exploit || url,wiki.quadrantsec.com/bin/view/Main/6103601 6103602 || [CISCO-SDEE] IOS Cisco Identification || url,wiki.quadrantsec.com/bin/view/Main/6103602 6103603 || [CISCO-SDEE] IOS Enable Bypass || url,wiki.quadrantsec.com/bin/view/Main/6103603 6103604 || [CISCO-SDEE] Cisco Catalyst CR DoS || url,wiki.quadrantsec.com/bin/view/Main/6103604 6103650 || [CISCO-SDEE] SSH RSAREF2 Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103650 6103651 || [CISCO-SDEE] SSH CRC32 Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103651 6103652 || [CISCO-SDEE] SSH Gobbles || url,wiki.quadrantsec.com/bin/view/Main/6103652 6103653 || [CISCO-SDEE] Multiple Rapid SSH Connections || url,wiki.quadrantsec.com/bin/view/Main/6103653 6103654 || [CISCO-SDEE] SSH Gobbles Exploit || url,wiki.quadrantsec.com/bin/view/Main/6103654 6103700 || [CISCO-SDEE] CDE dtspcd Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103700 6103701 || [CISCO-SDEE] Oracle 9iAS Web Cache Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103701 6103702 || [CISCO-SDEE] Default sa account access || url,wiki.quadrantsec.com/bin/view/Main/6103702 6103703 || [CISCO-SDEE] Squid FTP URL Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103703 6103704 || [CISCO-SDEE] IIS FTP STAT Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6103704 6103705 || [CISCO-SDEE] Tivoli Storage Manager Client Acceptor Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103705 6103706 || [CISCO-SDEE] MIT PGP Public Key Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103706 6103707 || [CISCO-SDEE] Perl fingerd Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6103707 6103708 || [CISCO-SDEE] AnalogX Proxy Socks4a DNS Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103708 6103709 || [CISCO-SDEE] AnalogX Proxy Web Proxy Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103709 6103710 || [CISCO-SDEE] Cisco Secure ACS Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6103710 6103711 || [CISCO-SDEE] Informer FW1 Auth Replay DoS || url,wiki.quadrantsec.com/bin/view/Main/6103711 6103714 || [CISCO-SDEE] Oracle TNS 'Service_Name' Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103714 6103716 || [CISCO-SDEE] GDI+ JPEG Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103716 6103718 || [CISCO-SDEE] Windows .ANI File DoS || url,wiki.quadrantsec.com/bin/view/Main/6103718 6103719 || [CISCO-SDEE] MSN Messenger PNG Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103719 6103720 || [CISCO-SDEE] MSSQL sa Account Brute Force || url,wiki.quadrantsec.com/bin/view/Main/6103720 6103721 || [CISCO-SDEE] TNS Brute Force || url,wiki.quadrantsec.com/bin/view/Main/6103721 6103728 || [CISCO-SDEE] Long pop username || url,wiki.quadrantsec.com/bin/view/Main/6103728 6103729 || [CISCO-SDEE] Long pop password || url,wiki.quadrantsec.com/bin/view/Main/6103729 6103730 || [CISCO-SDEE] Trinoo (TCP) || url,wiki.quadrantsec.com/bin/view/Main/6103730 6103731 || [CISCO-SDEE] IMail HTTP Get Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103731 6103732 || [CISCO-SDEE] MSSQL xp_cmdshell Usage || url,wiki.quadrantsec.com/bin/view/Main/6103732 6103733 || [CISCO-SDEE] Real Server Format Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103733 6103734 || [CISCO-SDEE] Cfengine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103734 6103735 || [CISCO-SDEE] CVS Flag Insertion Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103735 6103736 || [CISCO-SDEE] Subversion get-dated-rev overflow || url,wiki.quadrantsec.com/bin/view/Main/6103736 6103737 || [CISCO-SDEE] Squid Proxy NTLM Authenticate Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103737 6103738 || [CISCO-SDEE] CVS Argumentx Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6103738 6103739 || [CISCO-SDEE] Nullsoft SHOUTcast Format String Attack || url,wiki.quadrantsec.com/bin/view/Main/6103739 6103740 || [CISCO-SDEE] IMail LDAP Service Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103740 6103782 || [CISCO-SDEE] mIRC DCC Send Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103782 6103783 || [CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103783 6103784 || [CISCO-SDEE] BrightStor Discovery Service SERVICEPC Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103784 6103785 || [CISCO-SDEE] Oracle 9i XDB FTP UNLOCK Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103785 6103786 || [CISCO-SDEE] Oracle 9i XDB FTP PASS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103786 6103787 || [CISCO-SDEE] IRIX Printing System Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103787 6103788 || [CISCO-SDEE] Solaris LPD Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103788 6103789 || [CISCO-SDEE] DistCC Daemon Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103789 6103790 || [CISCO-SDEE] HP Openview Omniback II Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6103790 6103791 || [CISCO-SDEE] Solaris Printd Unlink File Deletion || url,wiki.quadrantsec.com/bin/view/Main/6103791 6103792 || [CISCO-SDEE] Long Telnet Username || url,wiki.quadrantsec.com/bin/view/Main/6103792 6103793 || [CISCO-SDEE] ZENworks 6.5 Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103793 6103802 || [CISCO-SDEE] Oracle iSQL*PLus Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103802 6103883 || [CISCO-SDEE] Apache mod_proxy Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103883 6103884 || [CISCO-SDEE] Cfengine Authentication Heap Based Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6103884 6103991 || [CISCO-SDEE] BackOrifice BO2K TCP Stealth 1 || url,wiki.quadrantsec.com/bin/view/Main/6103991 6104001 || [CISCO-SDEE] UDP Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6104001 6104002 || [CISCO-SDEE] UDP Host Flood || url,wiki.quadrantsec.com/bin/view/Main/6104002 6104003 || [CISCO-SDEE] Nmap UDP Port Sweep || url,wiki.quadrantsec.com/bin/view/Main/6104003 6104004 || [CISCO-SDEE] DNS Flood Attack || url,wiki.quadrantsec.com/bin/view/Main/6104004 6104050 || [CISCO-SDEE] UDP Bomb || url,wiki.quadrantsec.com/bin/view/Main/6104050 6104053 || [CISCO-SDEE] BackOrifice-Original-UDP || url,wiki.quadrantsec.com/bin/view/Main/6104053 6104054 || [CISCO-SDEE] RIP Trace || url,wiki.quadrantsec.com/bin/view/Main/6104054 6104056 || [CISCO-SDEE] NTPd readvar overflow || url,wiki.quadrantsec.com/bin/view/Main/6104056 6104058 || [CISCO-SDEE] UPnP LOCATION Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104058 6104060 || [CISCO-SDEE] Back Orifice Ping || url,wiki.quadrantsec.com/bin/view/Main/6104060 6104061 || [CISCO-SDEE] Chargen Echo DoS || url,wiki.quadrantsec.com/bin/view/Main/6104061 6104062 || [CISCO-SDEE] Cisco CSS 11000 Malformed UDP DoS || url,wiki.quadrantsec.com/bin/view/Main/6104062 6104063 || [CISCO-SDEE] Unreal Engine secure Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104063 6104067 || [CISCO-SDEE] Malformed IKE Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6104067 6104068 || [CISCO-SDEE] DoS NBT Stream || url,wiki.quadrantsec.com/bin/view/Main/6104068 6104100 || [CISCO-SDEE] Tftp Passwd File || url,wiki.quadrantsec.com/bin/view/Main/6104100 6104101 || [CISCO-SDEE] Cisco TFTPD Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6104101 6104150 || [CISCO-SDEE] Ascend Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6104150 6104151 || [CISCO-SDEE] BOBAX Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6104151 6104322 || [CISCO-SDEE] Generic File Transfer Signatures || url,wiki.quadrantsec.com/bin/view/Main/6104322 6104500 || [CISCO-SDEE] Cisco IOS Embedded SNMP Community Names || url,wiki.quadrantsec.com/bin/view/Main/6104500 6104501 || [CISCO-SDEE] CVCO/4K Remote Username / Password Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104501 6104502 || [CISCO-SDEE] SNMP Community Name Brute Force Attempt || url,wiki.quadrantsec.com/bin/view/Main/6104502 6104503 || [CISCO-SDEE] Windows NT SNMP System Info Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104503 6104504 || [CISCO-SDEE] SNMP IOS Configuration Retrieval || url,wiki.quadrantsec.com/bin/view/Main/6104504 6104505 || [CISCO-SDEE] SNMP IOS VACM MIB Access || url,wiki.quadrantsec.com/bin/view/Main/6104505 6104506 || [CISCO-SDEE] D-Link Wireless SNMP Plain Text Password || url,wiki.quadrantsec.com/bin/view/Main/6104506 6104507 || [CISCO-SDEE] SNMP Protocol Violation || url,wiki.quadrantsec.com/bin/view/Main/6104507 6104508 || [CISCO-SDEE] Non SNMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6104508 6104509 || [CISCO-SDEE] HP Openview SNMP Hidden Community Name || url,wiki.quadrantsec.com/bin/view/Main/6104509 6104510 || [CISCO-SDEE] Solaris SNMP Hidden Community Name || url,wiki.quadrantsec.com/bin/view/Main/6104510 6104511 || [CISCO-SDEE] Avaya SNMP Hidden Community Name || url,wiki.quadrantsec.com/bin/view/Main/6104511 6104512 || [CISCO-SDEE] SNMP Community String Public || url,wiki.quadrantsec.com/bin/view/Main/6104512 6104513 || [CISCO-SDEE] Cisco SNMP Message Processing DoS || url,wiki.quadrantsec.com/bin/view/Main/6104513 6104514 || [CISCO-SDEE] SNMP Community String Public || url,wiki.quadrantsec.com/bin/view/Main/6104514 6104515 || [CISCO-SDEE] Cisco IP/VC Embedded Community Names || url,wiki.quadrantsec.com/bin/view/Main/6104515 6104516 || [CISCO-SDEE] SNMP Printer Query DoS || url,wiki.quadrantsec.com/bin/view/Main/6104516 6104600 || [CISCO-SDEE] IOS UDP Bomb || url,wiki.quadrantsec.com/bin/view/Main/6104600 6104601 || [CISCO-SDEE] CheckPoint Firewall RDP ByPass || url,wiki.quadrantsec.com/bin/view/Main/6104601 6104602 || [CISCO-SDEE] Beagle (Bagle) Virus DNS Lookup || url,wiki.quadrantsec.com/bin/view/Main/6104602 6104603 || [CISCO-SDEE] DHCP Discover || url,wiki.quadrantsec.com/bin/view/Main/6104603 6104604 || [CISCO-SDEE] DHCP Request || url,wiki.quadrantsec.com/bin/view/Main/6104604 6104605 || [CISCO-SDEE] DHCP Offer || url,wiki.quadrantsec.com/bin/view/Main/6104605 6104606 || [CISCO-SDEE] Cisco TFTP Long Filename Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104606 6104607 || [CISCO-SDEE] Deep Throat Response || url,wiki.quadrantsec.com/bin/view/Main/6104607 6104608 || [CISCO-SDEE] Trinoo (UDP) || url,wiki.quadrantsec.com/bin/view/Main/6104608 6104609 || [CISCO-SDEE] Orinoco SNMP Info Leak || url,wiki.quadrantsec.com/bin/view/Main/6104609 6104610 || [CISCO-SDEE] Kerberos 4 User Recon || url,wiki.quadrantsec.com/bin/view/Main/6104610 6104611 || [CISCO-SDEE] D-Link DWL-900AP+ TFTP Config Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104611 6104612 || [CISCO-SDEE] Cisco IP Phone TFTP Config Retrieve || url,wiki.quadrantsec.com/bin/view/Main/6104612 6104613 || [CISCO-SDEE] TFTP Filename Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104613 6104614 || [CISCO-SDEE] TFTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104614 6104615 || [CISCO-SDEE] Beagle.B (Bagle.B) Virus DNS Lookup || url,wiki.quadrantsec.com/bin/view/Main/6104615 6104617 || [CISCO-SDEE] PoPToP PPtP Short Length Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104617 6104619 || [CISCO-SDEE] Invalid DHCP Packet || url,wiki.quadrantsec.com/bin/view/Main/6104619 6104620 || [CISCO-SDEE] DNS Limited Broadcast Query || url,wiki.quadrantsec.com/bin/view/Main/6104620 6104701 || [CISCO-SDEE] MSSQL Resolution Service Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104701 6104702 || [CISCO-SDEE] MSSQL Resolution Service Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104702 6104703 || [CISCO-SDEE] MSSQL Resolution Service Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104703 6104704 || [CISCO-SDEE] MSSQL Resolution Service Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6104704 6105034 || [CISCO-SDEE] WWW IIS newdsn attack || url,wiki.quadrantsec.com/bin/view/Main/6105034 6105035 || [CISCO-SDEE] HTTP cgi HylaFAX Faxsurvey || url,wiki.quadrantsec.com/bin/view/Main/6105035 6105037 || [CISCO-SDEE] WWW SGI MachineInfo Attack || url,wiki.quadrantsec.com/bin/view/Main/6105037 6105038 || [CISCO-SDEE] WWW wwwsql file read Bug || url,wiki.quadrantsec.com/bin/view/Main/6105038 6105039 || [CISCO-SDEE] WWW finger attempt || url,wiki.quadrantsec.com/bin/view/Main/6105039 6105041 || [CISCO-SDEE] WWW anyform attack || url,wiki.quadrantsec.com/bin/view/Main/6105041 6105044 || [CISCO-SDEE] WWW Webcom.se Guestbook attack || url,wiki.quadrantsec.com/bin/view/Main/6105044 6105045 || [CISCO-SDEE] WWW xterm display attack || url,wiki.quadrantsec.com/bin/view/Main/6105045 6105046 || [CISCO-SDEE] WWW dumpenv.pl recon || url,wiki.quadrantsec.com/bin/view/Main/6105046 6105047 || [CISCO-SDEE] WWW Server Side Include POST attack || url,wiki.quadrantsec.com/bin/view/Main/6105047 6105048 || [CISCO-SDEE] WWW IIS BAT EXE attack || url,wiki.quadrantsec.com/bin/view/Main/6105048 6105049 || [CISCO-SDEE] WWW IIS showcode.asp access || url,wiki.quadrantsec.com/bin/view/Main/6105049 6105050 || [CISCO-SDEE] WWW IIS .htr Overflow Attack || url,wiki.quadrantsec.com/bin/view/Main/6105050 6105051 || [CISCO-SDEE] IIS Double Byte Code Page || url,wiki.quadrantsec.com/bin/view/Main/6105051 6105052 || [CISCO-SDEE] FrontPage Extensions PWD Open Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105052 6105053 || [CISCO-SDEE] FrontPage _vti_bin Directory List Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105053 6105054 || [CISCO-SDEE] WWWBoard Password || url,wiki.quadrantsec.com/bin/view/Main/6105054 6105055 || [CISCO-SDEE] HTTP Basic Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105055 6105056 || [CISCO-SDEE] WWW Cisco IOS %% DoS || url,wiki.quadrantsec.com/bin/view/Main/6105056 6105057 || [CISCO-SDEE] WWW Sambar Samples || url,wiki.quadrantsec.com/bin/view/Main/6105057 6105058 || [CISCO-SDEE] WWW info2www Attack || url,wiki.quadrantsec.com/bin/view/Main/6105058 6105059 || [CISCO-SDEE] WWW Alibaba Attack || url,wiki.quadrantsec.com/bin/view/Main/6105059 6105060 || [CISCO-SDEE] WWW Excite AT-generate.cgi Access || url,wiki.quadrantsec.com/bin/view/Main/6105060 6105061 || [CISCO-SDEE] WWW catalog_type.asp Access || url,wiki.quadrantsec.com/bin/view/Main/6105061 6105062 || [CISCO-SDEE] WWW classifieds.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105062 6105064 || [CISCO-SDEE] WWW imagemap.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105064 6105065 || [CISCO-SDEE] WWW IRIX infosrch.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105065 6105066 || [CISCO-SDEE] WWW man.sh Access || url,wiki.quadrantsec.com/bin/view/Main/6105066 6105067 || [CISCO-SDEE] WWW plusmail Attack || url,wiki.quadrantsec.com/bin/view/Main/6105067 6105068 || [CISCO-SDEE] WWW formmail.pl Access || url,wiki.quadrantsec.com/bin/view/Main/6105068 6105069 || [CISCO-SDEE] WWW whois_raw.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105069 6105070 || [CISCO-SDEE] WWW msadcs.dll Access || url,wiki.quadrantsec.com/bin/view/Main/6105070 6105071 || [CISCO-SDEE] WWW msacds.dll Attack || url,wiki.quadrantsec.com/bin/view/Main/6105071 6105072 || [CISCO-SDEE] WWW bizdb1-search.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105072 6105073 || [CISCO-SDEE] WWW EZshopper loadpage.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105073 6105074 || [CISCO-SDEE] WWW EZshopper search.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105074 6105075 || [CISCO-SDEE] WWW IIS Virtualized UNC Bug || url,wiki.quadrantsec.com/bin/view/Main/6105075 6105076 || [CISCO-SDEE] WWW webplus bug || url,wiki.quadrantsec.com/bin/view/Main/6105076 6105077 || [CISCO-SDEE] WWW Excite AT-admin.cgi Access || url,wiki.quadrantsec.com/bin/view/Main/6105077 6105078 || [CISCO-SDEE] WWW Piranha passwd attack || url,wiki.quadrantsec.com/bin/view/Main/6105078 6105079 || [CISCO-SDEE] WWW PCCS MySQL Admin Access || url,wiki.quadrantsec.com/bin/view/Main/6105079 6105080 || [CISCO-SDEE] WWW IBM WebSphere Access || url,wiki.quadrantsec.com/bin/view/Main/6105080 6105081 || [CISCO-SDEE] WWW WinNT cmd.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105081 6105082 || [CISCO-SDEE] IE HTML Objects Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105082 6105083 || [CISCO-SDEE] WWW Virtual Vision FTP Browser Access || url,wiki.quadrantsec.com/bin/view/Main/6105083 6105084 || [CISCO-SDEE] WWW Alibaba Attack 2 || url,wiki.quadrantsec.com/bin/view/Main/6105084 6105085 || [CISCO-SDEE] WWW IIS Source Fragment Access || url,wiki.quadrantsec.com/bin/view/Main/6105085 6105086 || [CISCO-SDEE] WWW WEBactive Logfile Access || url,wiki.quadrantsec.com/bin/view/Main/6105086 6105087 || [CISCO-SDEE] WWW Sun Java Server Access || url,wiki.quadrantsec.com/bin/view/Main/6105087 6105088 || [CISCO-SDEE] WWW Akopia MiniVend Access || url,wiki.quadrantsec.com/bin/view/Main/6105088 6105089 || [CISCO-SDEE] WWW Big Brother Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105089 6105090 || [CISCO-SDEE] WWW FrontPage htimage.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105090 6105091 || [CISCO-SDEE] WWW Cart32 Remote Admin Access || url,wiki.quadrantsec.com/bin/view/Main/6105091 6105092 || [CISCO-SDEE] WWW CGI-World Poll It Access || url,wiki.quadrantsec.com/bin/view/Main/6105092 6105093 || [CISCO-SDEE] WWW PHP-Nuke admin.php3 Access || url,wiki.quadrantsec.com/bin/view/Main/6105093 6105095 || [CISCO-SDEE] WWW CGI Script Center Account Manager Attack || url,wiki.quadrantsec.com/bin/view/Main/6105095 6105096 || [CISCO-SDEE] WWW CGI Script Center Subscribe Me Attack || url,wiki.quadrantsec.com/bin/view/Main/6105096 6105097 || [CISCO-SDEE] WWW FrontPage MS-DOS Device Attack || url,wiki.quadrantsec.com/bin/view/Main/6105097 6105099 || [CISCO-SDEE] WWW GWScripts News Publisher Access || url,wiki.quadrantsec.com/bin/view/Main/6105099 6105100 || [CISCO-SDEE] WWW CGI Center Auction Weaver File Access || url,wiki.quadrantsec.com/bin/view/Main/6105100 6105101 || [CISCO-SDEE] WWW CGI Center Auction Weaver Attack || url,wiki.quadrantsec.com/bin/view/Main/6105101 6105102 || [CISCO-SDEE] WWW phpPhotoAlbum explorer.php Access || url,wiki.quadrantsec.com/bin/view/Main/6105102 6105103 || [CISCO-SDEE] WWW SuSE Apache CGI Source Access || url,wiki.quadrantsec.com/bin/view/Main/6105103 6105104 || [CISCO-SDEE] WWW YaBB File Access || url,wiki.quadrantsec.com/bin/view/Main/6105104 6105105 || [CISCO-SDEE] WWW Ranson Johnson mailto.cgi Attack || url,wiki.quadrantsec.com/bin/view/Main/6105105 6105106 || [CISCO-SDEE] WWW Ranson Johnson mailform.pl Access || url,wiki.quadrantsec.com/bin/view/Main/6105106 6105107 || [CISCO-SDEE] WWW Mandrake Linux /perl Access || url,wiki.quadrantsec.com/bin/view/Main/6105107 6105108 || [CISCO-SDEE] WWW Netegrity Site Minder Access || url,wiki.quadrantsec.com/bin/view/Main/6105108 6105109 || [CISCO-SDEE] WWW Sambar Beta search.dll Access || url,wiki.quadrantsec.com/bin/view/Main/6105109 6105110 || [CISCO-SDEE] WWW SuSE Installed Packages Access || url,wiki.quadrantsec.com/bin/view/Main/6105110 6105111 || [CISCO-SDEE] WWW Solaris Answerbook 2 Access || url,wiki.quadrantsec.com/bin/view/Main/6105111 6105112 || [CISCO-SDEE] WWW Solaris Answerbook 2 Attack || url,wiki.quadrantsec.com/bin/view/Main/6105112 6105113 || [CISCO-SDEE] WWW CommuniGate Pro Access || url,wiki.quadrantsec.com/bin/view/Main/6105113 6105114 || [CISCO-SDEE] WWW IIS Unicode Attack || url,wiki.quadrantsec.com/bin/view/Main/6105114 6105115 || [CISCO-SDEE] Netscape Enterprise Server with ?wp Tags || url,wiki.quadrantsec.com/bin/view/Main/6105115 6105116 || [CISCO-SDEE] Endymion MailMan Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105116 6105117 || [CISCO-SDEE] phpGroupWare Remote Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105117 6105118 || [CISCO-SDEE] eWave ServletExec 3.0C File Upload || url,wiki.quadrantsec.com/bin/view/Main/6105118 6105119 || [CISCO-SDEE] CGI Script Center News Update Admin Passwd Change || url,wiki.quadrantsec.com/bin/view/Main/6105119 6105120 || [CISCO-SDEE] Netscape Server Suite Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105120 6105121 || [CISCO-SDEE] iPlanet .shtml Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105121 6105122 || [CISCO-SDEE] Nokia IP440 Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105122 6105123 || [CISCO-SDEE] WWW IIS Internet Printing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105123 6105124 || [CISCO-SDEE] IIS CGI Double Decode || url,wiki.quadrantsec.com/bin/view/Main/6105124 6105125 || [CISCO-SDEE] PerlCal Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105125 6105126 || [CISCO-SDEE] WWW IIS .ida Indexing Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105126 6105127 || [CISCO-SDEE] WWW viewsrc.cgi Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105127 6105128 || [CISCO-SDEE] WWW nph-maillist.pl Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105128 6105129 || [CISCO-SDEE] IOS HTTP Unauth Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105129 6105130 || [CISCO-SDEE] Bugzilla Privileged Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105130 6105131 || [CISCO-SDEE] talkback.cgi Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105131 6105132 || [CISCO-SDEE] VirusWall catinfo Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105132 6105133 || [CISCO-SDEE] Net.Commerce Macro Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105133 6105134 || [CISCO-SDEE] MacOS PWS DoS || url,wiki.quadrantsec.com/bin/view/Main/6105134 6105138 || [CISCO-SDEE] Oracle Application Server Shared Library Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105138 6105140 || [CISCO-SDEE] Net.Commerce Macro Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105140 6105141 || [CISCO-SDEE] NCM Content.pl SQL Query Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105141 6105142 || [CISCO-SDEE] DCShop File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105142 6105146 || [CISCO-SDEE] MS-DOS Device Name DoS || url,wiki.quadrantsec.com/bin/view/Main/6105146 6105147 || [CISCO-SDEE] Arcadia Internet Store Directory Traversal Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105147 6105148 || [CISCO-SDEE] Perception LiteServe Web Server CGI Source Code Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105148 6105149 || [CISCO-SDEE] Trend Micro Interscan Viruswall Configuration Modification || url,wiki.quadrantsec.com/bin/view/Main/6105149 6105150 || [CISCO-SDEE] InterScan VirusWall RegGo.dll Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105150 6105151 || [CISCO-SDEE] WebStore Admin Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105151 6105152 || [CISCO-SDEE] WebStore Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105152 6105154 || [CISCO-SDEE] WWW uDirectory Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105154 6105155 || [CISCO-SDEE] WWW SiteWare Editor Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105155 6105156 || [CISCO-SDEE] WWW Microsoft fp30reg.dll Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105156 6105157 || [CISCO-SDEE] Tarantella TTAWebTop.CGI Directory Traversal Bug || url,wiki.quadrantsec.com/bin/view/Main/6105157 6105158 || [CISCO-SDEE] iPlanet Proprietary Method Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105158 6105159 || [CISCO-SDEE] phpMyAdmin Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105159 6105160 || [CISCO-SDEE] Apache ? indexing file disclosure bug || url,wiki.quadrantsec.com/bin/view/Main/6105160 6105161 || [CISCO-SDEE] SquirrelMail Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105161 6105162 || [CISCO-SDEE] Active Classifieds Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105162 6105163 || [CISCO-SDEE] Mambo Site Server Administrative Password ByPass || url,wiki.quadrantsec.com/bin/view/Main/6105163 6105164 || [CISCO-SDEE] PHPBB Remote SQL Query Manipulation || url,wiki.quadrantsec.com/bin/view/Main/6105164 6105165 || [CISCO-SDEE] php-nuke article.php sql query || url,wiki.quadrantsec.com/bin/view/Main/6105165 6105166 || [CISCO-SDEE] php-nuke modules.php DoS || url,wiki.quadrantsec.com/bin/view/Main/6105166 6105167 || [CISCO-SDEE] phpMyAdmin Cmd Exec 2 || url,wiki.quadrantsec.com/bin/view/Main/6105167 6105168 || [CISCO-SDEE] Snapstream PVS Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105168 6105169 || [CISCO-SDEE] SnapStream PVS Plaintext Password Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105169 6105170 || [CISCO-SDEE] Null Byte In HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105170 6105171 || [CISCO-SDEE] NC-Book book.cgi Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105171 6105172 || [CISCO-SDEE] WinWrapper Admin Server Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105172 6105173 || [CISCO-SDEE] Directory Manager Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105173 6105174 || [CISCO-SDEE] phpmyexplorer directory traversal || url,wiki.quadrantsec.com/bin/view/Main/6105174 6105175 || [CISCO-SDEE] Hassan Shopping Cart Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105175 6105176 || [CISCO-SDEE] Exchange Address List Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105176 6105177 || [CISCO-SDEE] DoS Arnudp || url,wiki.quadrantsec.com/bin/view/Main/6105177 6105178 || [CISCO-SDEE] MS Index Server File/Path Recon || url,wiki.quadrantsec.com/bin/view/Main/6105178 6105179 || [CISCO-SDEE] PHP-Nuke File Upload || url,wiki.quadrantsec.com/bin/view/Main/6105179 6105180 || [CISCO-SDEE] sgiMerchant Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105180 6105181 || [CISCO-SDEE] MacOS Apache File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105181 6105182 || [CISCO-SDEE] WebDiscount's eShop Arbitrary Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105182 6105183 || [CISCO-SDEE] PHP File Inclusion Remote Exec || url,wiki.quadrantsec.com/bin/view/Main/6105183 6105184 || [CISCO-SDEE] Apache Authentication Module ByPass || url,wiki.quadrantsec.com/bin/view/Main/6105184 6105188 || [CISCO-SDEE] HTTP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6105188 6105191 || [CISCO-SDEE] Active Perl PerlIS.dll Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105191 6105194 || [CISCO-SDEE] Apache Server .ht File Access || url,wiki.quadrantsec.com/bin/view/Main/6105194 6105195 || [CISCO-SDEE] AS/400 '/' attack || url,wiki.quadrantsec.com/bin/view/Main/6105195 6105196 || [CISCO-SDEE] Red Hat Stronghold Recon attack || url,wiki.quadrantsec.com/bin/view/Main/6105196 6105197 || [CISCO-SDEE] Network Query Tool command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105197 6105199 || [CISCO-SDEE] W3Mail Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105199 6105200 || [CISCO-SDEE] IIS Data Stream Source Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105200 6105201 || [CISCO-SDEE] PHP-Nuke Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105201 6105202 || [CISCO-SDEE] PHP-Nuke File Copy / Delete || url,wiki.quadrantsec.com/bin/view/Main/6105202 6105203 || [CISCO-SDEE] Hosting Controller File Access and Upload || url,wiki.quadrantsec.com/bin/view/Main/6105203 6105204 || [CISCO-SDEE] AspUpload Sample Scripts || url,wiki.quadrantsec.com/bin/view/Main/6105204 6105205 || [CISCO-SDEE] Apache php.exe File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105205 6105206 || [CISCO-SDEE] Horde IMP Session Hijack || url,wiki.quadrantsec.com/bin/view/Main/6105206 6105207 || [CISCO-SDEE] Entrust GetAccess directory traversal || url,wiki.quadrantsec.com/bin/view/Main/6105207 6105208 || [CISCO-SDEE] Network Tools shell metacharacters || url,wiki.quadrantsec.com/bin/view/Main/6105208 6105209 || [CISCO-SDEE] Agora.cgi Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105209 6105210 || [CISCO-SDEE] FAQManager.cgi directory traversal || url,wiki.quadrantsec.com/bin/view/Main/6105210 6105211 || [CISCO-SDEE] zml.cgi File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105211 6105212 || [CISCO-SDEE] Bugzilla Admin Authorization Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105212 6105213 || [CISCO-SDEE] Bugzilla Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105213 6105214 || [CISCO-SDEE] FAQManager.cgi null bytes || url,wiki.quadrantsec.com/bin/view/Main/6105214 6105215 || [CISCO-SDEE] lastlines.cgi cmd exec/traversal || url,wiki.quadrantsec.com/bin/view/Main/6105215 6105216 || [CISCO-SDEE] PHP Rocket Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105216 6105217 || [CISCO-SDEE] Webmin Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105217 6105218 || [CISCO-SDEE] Boozt Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105218 6105219 || [CISCO-SDEE] Lotus Domino database DoS || url,wiki.quadrantsec.com/bin/view/Main/6105219 6105220 || [CISCO-SDEE] CSVForm Remote Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105220 6105221 || [CISCO-SDEE] Hosting Controller Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105221 6105222 || [CISCO-SDEE] DoS Beer || url,wiki.quadrantsec.com/bin/view/Main/6105222 6105223 || [CISCO-SDEE] Pi3Web Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105223 6105224 || [CISCO-SDEE] SquirrelMail SquirrelSpell Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105224 6105229 || [CISCO-SDEE] DCP Portal Root Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105229 6105230 || [CISCO-SDEE] Lotus Domino Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105230 6105231 || [CISCO-SDEE] MRTG Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105231 6105232 || [CISCO-SDEE] URL with XSS || url,wiki.quadrantsec.com/bin/view/Main/6105232 6105233 || [CISCO-SDEE] PHP fileupload Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105233 6105234 || [CISCO-SDEE] pforum sql-injection || url,wiki.quadrantsec.com/bin/view/Main/6105234 6105235 || [CISCO-SDEE] Mac OS X URI Handler Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105235 6105236 || [CISCO-SDEE] Xoops sql-injection || url,wiki.quadrantsec.com/bin/view/Main/6105236 6105237 || [CISCO-SDEE] HTTP CONNECT Tunnel || url,wiki.quadrantsec.com/bin/view/Main/6105237 6105238 || [CISCO-SDEE] EZNET Ezboard Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105238 6105239 || [CISCO-SDEE] Sambar cgitest.exe Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105239 6105240 || [CISCO-SDEE] Marcus Xenakis Shell Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105240 6105241 || [CISCO-SDEE] Avenger System Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105241 6105243 || [CISCO-SDEE] CS .cgi Script Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105243 6105244 || [CISCO-SDEE] PhpSmsSend Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105244 6105245 || [CISCO-SDEE] HTTP 1.1 Chunked Encoding Transfer || url,wiki.quadrantsec.com/bin/view/Main/6105245 6105246 || [CISCO-SDEE] IIS ISAPI Filter Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105246 6105247 || [CISCO-SDEE] IIS ASP SSI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105247 6105248 || [CISCO-SDEE] IIS HTR ISAPI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105248 6105251 || [CISCO-SDEE] Allaire JRun // Directory Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105251 6105252 || [CISCO-SDEE] Allaire JRun Session ID Recon || url,wiki.quadrantsec.com/bin/view/Main/6105252 6105253 || [CISCO-SDEE] Axis StorPoint CD Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105253 6105255 || [CISCO-SDEE] Linux Directory traceroute / nslookup Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105255 6105256 || [CISCO-SDEE] Dot Dot Slash in URI || url,wiki.quadrantsec.com/bin/view/Main/6105256 6105257 || [CISCO-SDEE] PHPNetToolpack traceroute Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105257 6105258 || [CISCO-SDEE] Script source disclosure with CodeBrws.asp || url,wiki.quadrantsec.com/bin/view/Main/6105258 6105259 || [CISCO-SDEE] Snitz Forums SQL injection || url,wiki.quadrantsec.com/bin/view/Main/6105259 6105260 || [CISCO-SDEE] Xpede sprc.asp SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105260 6105261 || [CISCO-SDEE] BackOffice Server Web Administration Access || url,wiki.quadrantsec.com/bin/view/Main/6105261 6105262 || [CISCO-SDEE] Large number of Slashes URL || url,wiki.quadrantsec.com/bin/view/Main/6105262 6105263 || [CISCO-SDEE] ecware.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105263 6105265 || [CISCO-SDEE] RedHat cachemgr.cgi Access || url,wiki.quadrantsec.com/bin/view/Main/6105265 6105266 || [CISCO-SDEE] iCat Carbo Server File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105266 6105268 || [CISCO-SDEE] Cisco Catalyst Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105268 6105269 || [CISCO-SDEE] ColdFusion CFDOCS Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105269 6105270 || [CISCO-SDEE] EZ-Mall order.log File Access || url,wiki.quadrantsec.com/bin/view/Main/6105270 6105271 || [CISCO-SDEE] search.cgi Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105271 6105272 || [CISCO-SDEE] count.cgi GIF File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105272 6105273 || [CISCO-SDEE] Bannermatic Sensitive File Access || url,wiki.quadrantsec.com/bin/view/Main/6105273 6105274 || [CISCO-SDEE] Netpad.cgi Directory Traversal/Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105274 6105275 || [CISCO-SDEE] Phorum Remote Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105275 6105276 || [CISCO-SDEE] Dansie cart.cgi Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105276 6105277 || [CISCO-SDEE] dfire.cgi Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105277 6105278 || [CISCO-SDEE] VP-ASP shoptest.asp access || url,wiki.quadrantsec.com/bin/view/Main/6105278 6105279 || [CISCO-SDEE] JJ Cgi Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105279 6105280 || [CISCO-SDEE] IIS idq.dll Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105280 6105281 || [CISCO-SDEE] Carello add.exe Access || url,wiki.quadrantsec.com/bin/view/Main/6105281 6105282 || [CISCO-SDEE] IIS ExAir advsearch.asp Access || url,wiki.quadrantsec.com/bin/view/Main/6105282 6105283 || [CISCO-SDEE] info2www CGI Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105283 6105284 || [CISCO-SDEE] IIS webhits.dll Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105284 6105285 || [CISCO-SDEE] PHPEventCalendar Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105285 6105286 || [CISCO-SDEE] WebScripts WebBBS Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105286 6105287 || [CISCO-SDEE] SiteServer AdSamples SITE.CSC File Access || url,wiki.quadrantsec.com/bin/view/Main/6105287 6105288 || [CISCO-SDEE] Verity search97 Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105288 6105289 || [CISCO-SDEE] SQLXML ISAPI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105289 6105290 || [CISCO-SDEE] Apache Tomcat DefaultServlet File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105290 6105291 || [CISCO-SDEE] WEB-INF Dot File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105291 6105292 || [CISCO-SDEE] SalesCart shop.mdb File Access || url,wiki.quadrantsec.com/bin/view/Main/6105292 6105293 || [CISCO-SDEE] robots.txt File Access || url,wiki.quadrantsec.com/bin/view/Main/6105293 6105294 || [CISCO-SDEE] BearShare File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105294 6105295 || [CISCO-SDEE] finger CGI Recon || url,wiki.quadrantsec.com/bin/view/Main/6105295 6105296 || [CISCO-SDEE] Netscape Server PageServices Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105296 6105297 || [CISCO-SDEE] order_log.dat File Access || url,wiki.quadrantsec.com/bin/view/Main/6105297 6105298 || [CISCO-SDEE] shopper.conf File Access || url,wiki.quadrantsec.com/bin/view/Main/6105298 6105299 || [CISCO-SDEE] quikstore.cfg File Access || url,wiki.quadrantsec.com/bin/view/Main/6105299 6105300 || [CISCO-SDEE] reg_echo.cgi Recon || url,wiki.quadrantsec.com/bin/view/Main/6105300 6105301 || [CISCO-SDEE] /consolehelp/ CGI File Access || url,wiki.quadrantsec.com/bin/view/Main/6105301 6105302 || [CISCO-SDEE] /file/ WebLogic File Access || url,wiki.quadrantsec.com/bin/view/Main/6105302 6105303 || [CISCO-SDEE] pfdispaly.cgi Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105303 6105304 || [CISCO-SDEE] files.pl File Access || url,wiki.quadrantsec.com/bin/view/Main/6105304 6105305 || [CISCO-SDEE] .bash_history File Access || url,wiki.quadrantsec.com/bin/view/Main/6105305 6105306 || [CISCO-SDEE] SoftCart storemgr.pw File Access || url,wiki.quadrantsec.com/bin/view/Main/6105306 6105307 || [CISCO-SDEE] Mercantec Softcart Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105307 6105308 || [CISCO-SDEE] rpc-nlog.pl Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105308 6105309 || [CISCO-SDEE] Handler CGI Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105309 6105310 || [CISCO-SDEE] INDEX / directory access || url,wiki.quadrantsec.com/bin/view/Main/6105310 6105311 || [CISCO-SDEE] 8.3 file name access || url,wiki.quadrantsec.com/bin/view/Main/6105311 6105312 || [CISCO-SDEE] *.jsp/*.jhtml Java Execution || url,wiki.quadrantsec.com/bin/view/Main/6105312 6105313 || [CISCO-SDEE] order.log File Access || url,wiki.quadrantsec.com/bin/view/Main/6105313 6105314 || [CISCO-SDEE] windmail.exe Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105314 6105315 || [CISCO-SDEE] changedisplay.pl WWWthreads Privilege Elevation || url,wiki.quadrantsec.com/bin/view/Main/6105315 6105316 || [CISCO-SDEE] BadBlue Admin Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105316 6105317 || [CISCO-SDEE] Tivoli Endpoint Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105317 6105318 || [CISCO-SDEE] Tivoli ManagedNode Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105318 6105319 || [CISCO-SDEE] SoftCart orders Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105319 6105320 || [CISCO-SDEE] ColdFusion administrator Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105320 6105321 || [CISCO-SDEE] Guest Book CGI access || url,wiki.quadrantsec.com/bin/view/Main/6105321 6105322 || [CISCO-SDEE] Long HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105322 6105323 || [CISCO-SDEE] midicart.mdb File Access || url,wiki.quadrantsec.com/bin/view/Main/6105323 6105324 || [CISCO-SDEE] Cisco IOS Query (?/) || url,wiki.quadrantsec.com/bin/view/Main/6105324 6105325 || [CISCO-SDEE] Contivity cgiproc DoS || url,wiki.quadrantsec.com/bin/view/Main/6105325 6105326 || [CISCO-SDEE] Root.exe access || url,wiki.quadrantsec.com/bin/view/Main/6105326 6105327 || [CISCO-SDEE] Tilde in URI || url,wiki.quadrantsec.com/bin/view/Main/6105327 6105328 || [CISCO-SDEE] Cisco IP phone DoS || url,wiki.quadrantsec.com/bin/view/Main/6105328 6105329 || [CISCO-SDEE] Apache/mod_ssl Worm Probe || url,wiki.quadrantsec.com/bin/view/Main/6105329 6105330 || [CISCO-SDEE] Apache/mod_ssl Worm Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105330 6105331 || [CISCO-SDEE] Image Javascript insertion || url,wiki.quadrantsec.com/bin/view/Main/6105331 6105332 || [CISCO-SDEE] Wordtrans-web Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105332 6105333 || [CISCO-SDEE] FUDForum File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105333 6105334 || [CISCO-SDEE] DB4Web File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105334 6105335 || [CISCO-SDEE] DB4WEB Proxy Scan || url,wiki.quadrantsec.com/bin/view/Main/6105335 6105336 || [CISCO-SDEE] Abyss Web Server File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105336 6105337 || [CISCO-SDEE] Dot Dot Slash in HTTP Arguments || url,wiki.quadrantsec.com/bin/view/Main/6105337 6105338 || [CISCO-SDEE] Front Page Admin password retrival || url,wiki.quadrantsec.com/bin/view/Main/6105338 6105339 || [CISCO-SDEE] SunONE Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105339 6105340 || [CISCO-SDEE] Killer Protection Credential File Access || url,wiki.quadrantsec.com/bin/view/Main/6105340 6105341 || [CISCO-SDEE] HP Procurve 4000M Switch DoS || url,wiki.quadrantsec.com/bin/view/Main/6105341 6105342 || [CISCO-SDEE] Invision Board phpinfo.php Recon || url,wiki.quadrantsec.com/bin/view/Main/6105342 6105343 || [CISCO-SDEE] Apache Host Header Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105343 6105344 || [CISCO-SDEE] IIS MDAC RDS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105344 6105345 || [CISCO-SDEE] HTTPBench Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105345 6105346 || [CISCO-SDEE] BadBlue Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105346 6105347 || [CISCO-SDEE] Xoops WebChat SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105347 6105348 || [CISCO-SDEE] Cobalt RaQ Server overflow.cgi Cmd Exec || url,wiki.quadrantsec.com/bin/view/Main/6105348 6105349 || [CISCO-SDEE] Polycom ViewStation Admin Password || url,wiki.quadrantsec.com/bin/view/Main/6105349 6105350 || [CISCO-SDEE] PHPnuke email attachment access || url,wiki.quadrantsec.com/bin/view/Main/6105350 6105351 || [CISCO-SDEE] MS IE Help Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105351 6105352 || [CISCO-SDEE] H-Sphere Webshell Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105352 6105353 || [CISCO-SDEE] H-Sphere Webshell 'mode' URI exec || url,wiki.quadrantsec.com/bin/view/Main/6105353 6105354 || [CISCO-SDEE] H-Sphere Webshell 'zipfile' URI exec || url,wiki.quadrantsec.com/bin/view/Main/6105354 6105355 || [CISCO-SDEE] DotBr exec.php3 exec || url,wiki.quadrantsec.com/bin/view/Main/6105355 6105356 || [CISCO-SDEE] DotBr system.php3 exec || url,wiki.quadrantsec.com/bin/view/Main/6105356 6105357 || [CISCO-SDEE] IMP SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105357 6105358 || [CISCO-SDEE] Psunami.CGI Remote Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105358 6105359 || [CISCO-SDEE] Office Scan CGI Scripts Access || url,wiki.quadrantsec.com/bin/view/Main/6105359 6105360 || [CISCO-SDEE] FrontPage htimage.exe Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105360 6105362 || [CISCO-SDEE] FrontPage dvwssr.dll Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105362 6105363 || [CISCO-SDEE] FrontPage imagemap.exe Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105363 6105364 || [CISCO-SDEE] IIS WebDAV Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105364 6105365 || [CISCO-SDEE] Long WebDAV Request || url,wiki.quadrantsec.com/bin/view/Main/6105365 6105366 || [CISCO-SDEE] Shell Code in HTTP URL / Args || url,wiki.quadrantsec.com/bin/view/Main/6105366 6105367 || [CISCO-SDEE] Apache CR LF DoS || url,wiki.quadrantsec.com/bin/view/Main/6105367 6105368 || [CISCO-SDEE] Cisco ACS Windows CSAdmin Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105368 6105369 || [CISCO-SDEE] Win32 Apache Batch File CmdExec || url,wiki.quadrantsec.com/bin/view/Main/6105369 6105370 || [CISCO-SDEE] HTDig File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105370 6105371 || [CISCO-SDEE] bdir.htr Access || url,wiki.quadrantsec.com/bin/view/Main/6105371 6105372 || [CISCO-SDEE] ASP %20 source disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105372 6105373 || [CISCO-SDEE] IIS 5 Translate: f Source Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105373 6105374 || [CISCO-SDEE] IIS Executable File Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105374 6105375 || [CISCO-SDEE] Apache mod_dav Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105375 6105376 || [CISCO-SDEE] iisPROTECT Admin SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105376 6105377 || [CISCO-SDEE] HTTP args to xp_cmdshell in HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105377 6105378 || [CISCO-SDEE] Vignette TCL Injection Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105378 6105379 || [CISCO-SDEE] Windows Media Services Logging ISAPI Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105379 6105380 || [CISCO-SDEE] phpBB SQL injection || url,wiki.quadrantsec.com/bin/view/Main/6105380 6105381 || [CISCO-SDEE] VPASP SQL injection || url,wiki.quadrantsec.com/bin/view/Main/6105381 6105382 || [CISCO-SDEE] Xpressions SQL Admin Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105382 6105383 || [CISCO-SDEE] Cyberstrong eShop SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105383 6105385 || [CISCO-SDEE] CiscoWorks User Priviledge Modification || url,wiki.quadrantsec.com/bin/view/Main/6105385 6105386 || [CISCO-SDEE] CiscoWorks Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105386 6105388 || [CISCO-SDEE] Kerio MailServer Webmail multiple overflows || url,wiki.quadrantsec.com/bin/view/Main/6105388 6105389 || [CISCO-SDEE] WebAdmin Long User Name Logon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105389 6105390 || [CISCO-SDEE] Swen Worm HTTP Counter Update Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105390 6105391 || [CISCO-SDEE] FrontPage Server Extensions Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105391 6105392 || [CISCO-SDEE] Internet Explorer XML Object Overflow Type 1 || url,wiki.quadrantsec.com/bin/view/Main/6105392 6105393 || [CISCO-SDEE] Internet Explorer XML Object Overflow Type 2 || url,wiki.quadrantsec.com/bin/view/Main/6105393 6105394 || [CISCO-SDEE] Apache mod_gzip Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105394 6105395 || [CISCO-SDEE] Cisco ACNS Authentication Library Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105395 6105397 || [CISCO-SDEE] SiteInteractive Subscribe Me setup.pl Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105397 6105399 || [CISCO-SDEE] ALT-N MDaemon form2raw.cgi Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105399 6105400 || [CISCO-SDEE] Beagle.B (Bagle.B) Web Beacon || url,wiki.quadrantsec.com/bin/view/Main/6105400 6105401 || [CISCO-SDEE] Outlook mailto Quote Malformed URI || url,wiki.quadrantsec.com/bin/view/Main/6105401 6105402 || [CISCO-SDEE] Internet Explorer URL Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6105402 6105403 || [CISCO-SDEE] OpenSSL SSL OR TLS Malformed Handshake DoS || url,wiki.quadrantsec.com/bin/view/Main/6105403 6105404 || [CISCO-SDEE] Internet Explorer Uninitialized Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105404 6105405 || [CISCO-SDEE] IIS nsiislog.dll long argument overflow || url,wiki.quadrantsec.com/bin/view/Main/6105405 6105406 || [CISCO-SDEE] Illegal MHTML URL || url,wiki.quadrantsec.com/bin/view/Main/6105406 6105407 || [CISCO-SDEE] IIS PCT Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105407 6105408 || [CISCO-SDEE] Windows HCP URI Parsing Script Exec || url,wiki.quadrantsec.com/bin/view/Main/6105408 6105409 || [CISCO-SDEE] Microsoft HCP Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105409 6105410 || [CISCO-SDEE] APSIS Pound Remote Format String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105410 6105411 || [CISCO-SDEE] Linksys Http DoS || url,wiki.quadrantsec.com/bin/view/Main/6105411 6105412 || [CISCO-SDEE] AIM Goaway Message Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105412 6105413 || [CISCO-SDEE] WhatsUp Gold Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105413 6105414 || [CISCO-SDEE] Microsoft NNTP Heap Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105414 6105416 || [CISCO-SDEE] IE object data remote execution || url,wiki.quadrantsec.com/bin/view/Main/6105416 6105417 || [CISCO-SDEE] IE Object Tag Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105417 6105418 || [CISCO-SDEE] IIS Cross Site Scripting .htw || url,wiki.quadrantsec.com/bin/view/Main/6105418 6105419 || [CISCO-SDEE] IIS Frontpage Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105419 6105420 || [CISCO-SDEE] IIS TRACK Requests || url,wiki.quadrantsec.com/bin/view/Main/6105420 6105421 || [CISCO-SDEE] IIS UNC Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105421 6105422 || [CISCO-SDEE] IIS ISAPI Extension Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6105422 6105423 || [CISCO-SDEE] IIS ism.dll Access || url,wiki.quadrantsec.com/bin/view/Main/6105423 6105424 || [CISCO-SDEE] IE HRAlign Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105424 6105425 || [CISCO-SDEE] Internet Explorer IFRAME Tag Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105425 6105426 || [CISCO-SDEE] Netscape NSS SSLv2 Hello Message Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105426 6105427 || [CISCO-SDEE] Apache Space Character DoS || url,wiki.quadrantsec.com/bin/view/Main/6105427 6105428 || [CISCO-SDEE] Cisco CNS Registrar DoS || url,wiki.quadrantsec.com/bin/view/Main/6105428 6105429 || [CISCO-SDEE] WINS Replication Protocol Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105429 6105430 || [CISCO-SDEE] Darwin Streaming Server DoS || url,wiki.quadrantsec.com/bin/view/Main/6105430 6105431 || [CISCO-SDEE] IIS W3Who Vulnerabilties || url,wiki.quadrantsec.com/bin/view/Main/6105431 6105432 || [CISCO-SDEE] Script Embedded in HTTP Header || url,wiki.quadrantsec.com/bin/view/Main/6105432 6105433 || [CISCO-SDEE] Jabberd Username Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105433 6105434 || [CISCO-SDEE] Veritas Backup Exec Registration Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105434 6105435 || [CISCO-SDEE] Crystal Reports Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105435 6105436 || [CISCO-SDEE] RXBot Activity || url,wiki.quadrantsec.com/bin/view/Main/6105436 6105437 || [CISCO-SDEE] phpBB highlight parameter || url,wiki.quadrantsec.com/bin/view/Main/6105437 6105438 || [CISCO-SDEE] Cisco IOS Call Processing Solutions DoS || url,wiki.quadrantsec.com/bin/view/Main/6105438 6105439 || [CISCO-SDEE] Microsoft Loadimage API Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105439 6105440 || [CISCO-SDEE] IRC Bot Activity || url,wiki.quadrantsec.com/bin/view/Main/6105440 6105441 || [CISCO-SDEE] Windows Help File Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105441 6105442 || [CISCO-SDEE] Cursor/Icon File Format Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105442 6105443 || [CISCO-SDEE] Microsoft ActiveX Help Control || url,wiki.quadrantsec.com/bin/view/Main/6105443 6105444 || [CISCO-SDEE] MySQL MaxDB WebAgent logon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105444 6105445 || [CISCO-SDEE] AWStats configdir Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105445 6105446 || [CISCO-SDEE] Internet Explorer Install Engine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105446 6105447 || [CISCO-SDEE] VB.aw Trojan/Back Door || url,wiki.quadrantsec.com/bin/view/Main/6105447 6105448 || [CISCO-SDEE] Blaster Worm || url,wiki.quadrantsec.com/bin/view/Main/6105448 6105449 || [CISCO-SDEE] Massacre Virus Attachment || url,wiki.quadrantsec.com/bin/view/Main/6105449 6105450 || [CISCO-SDEE] Love Letter Worm Attachment || url,wiki.quadrantsec.com/bin/view/Main/6105450 6105451 || [CISCO-SDEE] IIS WebDAV DoS || url,wiki.quadrantsec.com/bin/view/Main/6105451 6105452 || [CISCO-SDEE] Office XP URL Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105452 6105453 || [CISCO-SDEE] AWStats Plugin Command Exec || url,wiki.quadrantsec.com/bin/view/Main/6105453 6105454 || [CISCO-SDEE] Exim SPA Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105454 6105455 || [CISCO-SDEE] Arkeia Type 77 Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105455 6105456 || [CISCO-SDEE] Internet Explorer 5 ie5filex Exploit || url,wiki.quadrantsec.com/bin/view/Main/6105456 6105457 || [CISCO-SDEE] WU-FTPD DoS || url,wiki.quadrantsec.com/bin/view/Main/6105457 6105458 || [CISCO-SDEE] WebConnect MS-DOS Device Name DoS || url,wiki.quadrantsec.com/bin/view/Main/6105458 6105459 || [CISCO-SDEE] WebConnect Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105459 6105460 || [CISCO-SDEE] phpMyAdmin phpmyadmin.css.php File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105460 6105461 || [CISCO-SDEE] BadBlue MFCISAPICommand Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105461 6105462 || [CISCO-SDEE] phpBB Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105462 6105463 || [CISCO-SDEE] Computer Associates License Software GETCONFIG Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105463 6105464 || [CISCO-SDEE] Computer Associates License Suite Network Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105464 6105465 || [CISCO-SDEE] Computer Associates License Suite Checksum Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105465 6105466 || [CISCO-SDEE] Computer Associates License Suite PUTOLF Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105466 6105467 || [CISCO-SDEE] Computer Associates License Suite PUTOLF Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105467 6105468 || [CISCO-SDEE] Computer Associates License Suite Invalid Command Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105468 6105469 || [CISCO-SDEE] TrackerCam PHP Argument Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105469 6105471 || [CISCO-SDEE] SafeNet Sentinel Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105471 6105472 || [CISCO-SDEE] IE Sysimage Handler Local Executable Reference || url,wiki.quadrantsec.com/bin/view/Main/6105472 6105473 || [CISCO-SDEE] Java JNLP File Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105473 6105474 || [CISCO-SDEE] SQL Query in HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105474 6105475 || [CISCO-SDEE] BrightStor ARCserve Backup Universal Agent Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105475 6105476 || [CISCO-SDEE] HTML Application Execution || url,wiki.quadrantsec.com/bin/view/Main/6105476 6105477 || [CISCO-SDEE] Possible Heap Payload Construction || url,wiki.quadrantsec.com/bin/view/Main/6105477 6105478 || [CISCO-SDEE] Microsoft Exchange SMTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105478 6105479 || [CISCO-SDEE] MySQL MaxDB WebDAV Lock-Token Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105479 6105480 || [CISCO-SDEE] MySQL MaxDB WebDAV If Header Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105480 6105481 || [CISCO-SDEE] MySQL MaxDB WebDBM Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105481 6105482 || [CISCO-SDEE] Microsoft SQL Server Login Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105482 6105483 || [CISCO-SDEE] IE Content Advisor Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105483 6105484 || [CISCO-SDEE] Sambar Server Search Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105484 6105485 || [CISCO-SDEE] ISS PAM.dll ICQ Parser Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105485 6105486 || [CISCO-SDEE] Apple File Service LoginExt Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105486 6105487 || [CISCO-SDEE] IA WebMail Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105487 6105488 || [CISCO-SDEE] Icecast Server HTTP Header Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105488 6105489 || [CISCO-SDEE] MyTOB Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6105489 6105490 || [CISCO-SDEE] Firefox JavaScript IFRAME Exploitation || url,wiki.quadrantsec.com/bin/view/Main/6105490 6105491 || [CISCO-SDEE] Firefox JavaScript Install Trigger Function || url,wiki.quadrantsec.com/bin/view/Main/6105491 6105492 || [CISCO-SDEE] Wurmark Virus Activity || url,wiki.quadrantsec.com/bin/view/Main/6105492 6105493 || [CISCO-SDEE] Llsrpc Bind || url,wiki.quadrantsec.com/bin/view/Main/6105493 6105494 || [CISCO-SDEE] Webview Script Injection || url,wiki.quadrantsec.com/bin/view/Main/6105494 6105495 || [CISCO-SDEE] LDAP Active Directory Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105495 6105496 || [CISCO-SDEE] License Logging Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105496 6105497 || [CISCO-SDEE] SMTP BDAT Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105497 6105498 || [CISCO-SDEE] Media Player IE Zone Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105498 6105499 || [CISCO-SDEE] HTML Link in Object Tag in IE || url,wiki.quadrantsec.com/bin/view/Main/6105499 6105500 || [CISCO-SDEE] IE .asp File Execution || url,wiki.quadrantsec.com/bin/view/Main/6105500 6105501 || [CISCO-SDEE] IE ActiveX ADODB Stream || url,wiki.quadrantsec.com/bin/view/Main/6105501 6105502 || [CISCO-SDEE] Llssrv RPC Activity || url,wiki.quadrantsec.com/bin/view/Main/6105502 6105503 || [CISCO-SDEE] Object Creation In IE Local Zone || url,wiki.quadrantsec.com/bin/view/Main/6105503 6105504 || [CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105504 6105505 || [CISCO-SDEE] RIP Trace || url,wiki.quadrantsec.com/bin/view/Main/6105505 6105506 || [CISCO-SDEE] Back Orifice Ping || url,wiki.quadrantsec.com/bin/view/Main/6105506 6105507 || [CISCO-SDEE] Unreal Engine /secure/ Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105507 6105508 || [CISCO-SDEE] Malformed IKE Packet DoS || url,wiki.quadrantsec.com/bin/view/Main/6105508 6105509 || [CISCO-SDEE] Tftp Passwd File || url,wiki.quadrantsec.com/bin/view/Main/6105509 6105510 || [CISCO-SDEE] Cisco TFTPD Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105510 6105511 || [CISCO-SDEE] Ascend Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105511 6105512 || [CISCO-SDEE] Cisco SNMP Message Processing DoS || url,wiki.quadrantsec.com/bin/view/Main/6105512 6105513 || [CISCO-SDEE] SNMP Community String Public || url,wiki.quadrantsec.com/bin/view/Main/6105513 6105514 || [CISCO-SDEE] Cisco IP VC Embedded Community Names || url,wiki.quadrantsec.com/bin/view/Main/6105514 6105515 || [CISCO-SDEE] IE DHTML Edit Control || url,wiki.quadrantsec.com/bin/view/Main/6105515 6105516 || [CISCO-SDEE] FTP Wildcard DoS || url,wiki.quadrantsec.com/bin/view/Main/6105516 6105517 || [CISCO-SDEE] AnswerBook2 Format String || url,wiki.quadrantsec.com/bin/view/Main/6105517 6105518 || [CISCO-SDEE] Quake Server Connect DoS || url,wiki.quadrantsec.com/bin/view/Main/6105518 6105519 || [CISCO-SDEE] IE Popup Blocker Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105519 6105520 || [CISCO-SDEE] XEXCH50 Command Usage || url,wiki.quadrantsec.com/bin/view/Main/6105520 6105521 || [CISCO-SDEE] Nested Array Sort Loop DoS || url,wiki.quadrantsec.com/bin/view/Main/6105521 6105523 || [CISCO-SDEE] Jet Database Engine Shell Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105523 6105524 || [CISCO-SDEE] Font Tag Split || url,wiki.quadrantsec.com/bin/view/Main/6105524 6105525 || [CISCO-SDEE] Outlook Express Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105525 6105526 || [CISCO-SDEE] Telnet Environment Option Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105526 6105527 || [CISCO-SDEE] IIS Index HTW Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105527 6105528 || [CISCO-SDEE] IIS5 SEARCH overflow || url,wiki.quadrantsec.com/bin/view/Main/6105528 6105529 || [CISCO-SDEE] CheckPoint Firewall RDP ByPass || url,wiki.quadrantsec.com/bin/view/Main/6105529 6105530 || [CISCO-SDEE] DHCP Discover || url,wiki.quadrantsec.com/bin/view/Main/6105530 6105531 || [CISCO-SDEE] IE Status Bar Spoof || url,wiki.quadrantsec.com/bin/view/Main/6105531 6105532 || [CISCO-SDEE] Back Door Deltasource || url,wiki.quadrantsec.com/bin/view/Main/6105532 6105533 || [CISCO-SDEE] Back Door Remote Boot Tool || url,wiki.quadrantsec.com/bin/view/Main/6105533 6105534 || [CISCO-SDEE] KaZaA UDP Client Probe || url,wiki.quadrantsec.com/bin/view/Main/6105534 6105535 || [CISCO-SDEE] Overnet Client Scan || url,wiki.quadrantsec.com/bin/view/Main/6105535 6105536 || [CISCO-SDEE] Gnutella File Search || url,wiki.quadrantsec.com/bin/view/Main/6105536 6105537 || [CISCO-SDEE] ICQ Client DNS Request || url,wiki.quadrantsec.com/bin/view/Main/6105537 6105538 || [CISCO-SDEE] AIM Client DNS request || url,wiki.quadrantsec.com/bin/view/Main/6105538 6105539 || [CISCO-SDEE] Yahoo Messenger Client DNS Request || url,wiki.quadrantsec.com/bin/view/Main/6105539 6105540 || [CISCO-SDEE] MSN Messenger Client DNS Request || url,wiki.quadrantsec.com/bin/view/Main/6105540 6105541 || [CISCO-SDEE] Modem DoS || url,wiki.quadrantsec.com/bin/view/Main/6105541 6105543 || [CISCO-SDEE] PingTunnel ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6105543 6105544 || [CISCO-SDEE] Back Door Blaaaaa || url,wiki.quadrantsec.com/bin/view/Main/6105544 6105545 || [CISCO-SDEE] HTTP Request Smuggling Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105545 6105546 || [CISCO-SDEE] Internet Key Exchange DoS || url,wiki.quadrantsec.com/bin/view/Main/6105546 6105547 || [CISCO-SDEE] SMB File Name Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105547 6105548 || [CISCO-SDEE] Veritas Backup Exec Windows Remote Agent Password Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105548 6105549 || [CISCO-SDEE] Evolution Message Size Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105549 6105551 || [CISCO-SDEE] Outlook Web Access Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105551 6105552 || [CISCO-SDEE] Windows Media Player Skin File Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105552 6105553 || [CISCO-SDEE] Finger and cFinger Double Star User List Search || url,wiki.quadrantsec.com/bin/view/Main/6105553 6105554 || [CISCO-SDEE] IE Object Tag Overflow Runtime Script Exploit || url,wiki.quadrantsec.com/bin/view/Main/6105554 6105555 || [CISCO-SDEE] Cisco ONS Telnet DOS || url,wiki.quadrantsec.com/bin/view/Main/6105555 6105556 || [CISCO-SDEE] Javaprxy.dll Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105556 6105557 || [CISCO-SDEE] Windows ICC Color Management Module Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105557 6105558 || [CISCO-SDEE] Webcart Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105558 6105559 || [CISCO-SDEE] FTP Format String || url,wiki.quadrantsec.com/bin/view/Main/6105559 6105560 || [CISCO-SDEE] MailEnable IMAP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105560 6105561 || [CISCO-SDEE] Windows SMTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105561 6105562 || [CISCO-SDEE] Qpopper Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105562 6105564 || [CISCO-SDEE] ARCserve Backup MS-SQL Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105564 6105565 || [CISCO-SDEE] Print Spooler Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105565 6105566 || [CISCO-SDEE] Potential IE Cross Frame Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105566 6105567 || [CISCO-SDEE] Veritas Backup Exec Remote Registry Access || url,wiki.quadrantsec.com/bin/view/Main/6105567 6105568 || [CISCO-SDEE] Veritas Backup Exec Agent Remote File Access || url,wiki.quadrantsec.com/bin/view/Main/6105568 6105569 || [CISCO-SDEE] MDaemon Imap Authentication Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105569 6105570 || [CISCO-SDEE] ZOTOB Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6105570 6105571 || [CISCO-SDEE] RBOT.CBQ Worm Activity || url,wiki.quadrantsec.com/bin/view/Main/6105571 6105572 || [CISCO-SDEE] Design Tools Diagram Surface ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6105572 6105573 || [CISCO-SDEE] Novell eDirectory Server iMonitor Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105573 6105574 || [CISCO-SDEE] OpenView Network Node Manager Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105574 6105575 || [CISCO-SDEE] NBT NetBIOS Session Service Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6105575 6105576 || [CISCO-SDEE] SMB Login successful with Guest Privileges || url,wiki.quadrantsec.com/bin/view/Main/6105576 6105577 || [CISCO-SDEE] SMB NULL login attempt || url,wiki.quadrantsec.com/bin/view/Main/6105577 6105578 || [CISCO-SDEE] SMB 95 98 Password File Access || url,wiki.quadrantsec.com/bin/view/Main/6105578 6105579 || [CISCO-SDEE] SMB Remote Registry Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105579 6105580 || [CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105580 6105581 || [CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105581 6105582 || [CISCO-SDEE] NetBIOS Enum Share DoS || url,wiki.quadrantsec.com/bin/view/Main/6105582 6105583 || [CISCO-SDEE] SMB Remote SAM Service Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105583 6105584 || [CISCO-SDEE] SMB .eml email file remote access || url,wiki.quadrantsec.com/bin/view/Main/6105584 6105585 || [CISCO-SDEE] SMB Suspicious Password Usage || url,wiki.quadrantsec.com/bin/view/Main/6105585 6105586 || [CISCO-SDEE] Windows Locator Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105586 6105587 || [CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105587 6105588 || [CISCO-SDEE] Windows DCOM Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105588 6105589 || [CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105589 6105590 || [CISCO-SDEE] SMB User Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6105590 6105591 || [CISCO-SDEE] SMB Windows Share Enumeration || url,wiki.quadrantsec.com/bin/view/Main/6105591 6105592 || [CISCO-SDEE] SMB RFPoison Attack || url,wiki.quadrantsec.com/bin/view/Main/6105592 6105593 || [CISCO-SDEE] SMB NIMDA Infected File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6105593 6105594 || [CISCO-SDEE] Samba call_trans2open Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105594 6105595 || [CISCO-SDEE] Windows Startup Folder Remote Access || url,wiki.quadrantsec.com/bin/view/Main/6105595 6105596 || [CISCO-SDEE] Windows SMB/RPC NoOp Sled || url,wiki.quadrantsec.com/bin/view/Main/6105596 6105597 || [CISCO-SDEE] SMB MSRPC Messenger Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105597 6105598 || [CISCO-SDEE] Windows Workstation Service Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105598 6105599 || [CISCO-SDEE] Anig Worm File Transfer || url,wiki.quadrantsec.com/bin/view/Main/6105599 6105600 || [CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105600 6105601 || [CISCO-SDEE] Windows LSASS RPC Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105601 6105602 || [CISCO-SDEE] Windows System32 Directory File Access || url,wiki.quadrantsec.com/bin/view/Main/6105602 6105603 || [CISCO-SDEE] MSRPC Protocol violation || url,wiki.quadrantsec.com/bin/view/Main/6105603 6105605 || [CISCO-SDEE] Windows Account Locked || url,wiki.quadrantsec.com/bin/view/Main/6105605 6105606 || [CISCO-SDEE] SMB Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6105606 6105608 || [CISCO-SDEE] Network Supervisor Directory Traversal Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105608 6105609 || [CISCO-SDEE] IE COM Object Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105609 6105610 || [CISCO-SDEE] Cacti Graph_Image.PHP Remote Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105610 6105611 || [CISCO-SDEE] WordPress Cookie cache_lastpostdate Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105611 6105612 || [CISCO-SDEE] DNP3 - Unsolicited Response Storm || url,wiki.quadrantsec.com/bin/view/Main/6105612 6105613 || [CISCO-SDEE] DNP3 - Cold Restart Request || url,wiki.quadrantsec.com/bin/view/Main/6105613 6105614 || [CISCO-SDEE] DNP3 - Disable Unsolicited Responses || url,wiki.quadrantsec.com/bin/view/Main/6105614 6105615 || [CISCO-SDEE] DNP3 - Read Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105615 6105616 || [CISCO-SDEE] DNP3 - Stop Application || url,wiki.quadrantsec.com/bin/view/Main/6105616 6105617 || [CISCO-SDEE] DNP3 - Warm Restart || url,wiki.quadrantsec.com/bin/view/Main/6105617 6105618 || [CISCO-SDEE] DNP3 - Broadcast Request || url,wiki.quadrantsec.com/bin/view/Main/6105618 6105619 || [CISCO-SDEE] Non-DNP3 Communication on a DNP3 Port || url,wiki.quadrantsec.com/bin/view/Main/6105619 6105620 || [CISCO-SDEE] DNP3 - Write Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105620 6105621 || [CISCO-SDEE] DNP3 - Miscellaneous Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105621 6105622 || [CISCO-SDEE] Modbus TCP - Force Listen Only Mode || url,wiki.quadrantsec.com/bin/view/Main/6105622 6105623 || [CISCO-SDEE] Modbus TCP - Restart Communications Option || url,wiki.quadrantsec.com/bin/view/Main/6105623 6105624 || [CISCO-SDEE] Modbus TCP - Clear Counters and Diagnostic Registers || url,wiki.quadrantsec.com/bin/view/Main/6105624 6105625 || [CISCO-SDEE] Modbus TCP - Read Device Identification || url,wiki.quadrantsec.com/bin/view/Main/6105625 6105626 || [CISCO-SDEE] Modbus TCP - Report Server Information || url,wiki.quadrantsec.com/bin/view/Main/6105626 6105627 || [CISCO-SDEE] Modbus TCP - Illegal Packet Size || url,wiki.quadrantsec.com/bin/view/Main/6105627 6105628 || [CISCO-SDEE] Modbus Slave Device Busy Exception Code Delay || url,wiki.quadrantsec.com/bin/view/Main/6105628 6105629 || [CISCO-SDEE] Modbus Acknowledge Exception Code Delay || url,wiki.quadrantsec.com/bin/view/Main/6105629 6105630 || [CISCO-SDEE] Modbus TCP - Read Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105630 6105631 || [CISCO-SDEE] Modbus TCP - Write Request to a PLC || url,wiki.quadrantsec.com/bin/view/Main/6105631 6105632 || [CISCO-SDEE] Modbus TCP - Non-Modbus Communication || url,wiki.quadrantsec.com/bin/view/Main/6105632 6105633 || [CISCO-SDEE] .HTR Source View || url,wiki.quadrantsec.com/bin/view/Main/6105633 6105634 || [CISCO-SDEE] Barracuda Spam Firewall Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105634 6105635 || [CISCO-SDEE] Plug and Play Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105635 6105636 || [CISCO-SDEE] vBulletin Template PHP Code Injection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105636 6105637 || [CISCO-SDEE] Internet Explorer FTP Download Path Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105637 6105638 || [CISCO-SDEE] PHP Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105638 6105639 || [CISCO-SDEE] Web View Script Injection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105639 6105640 || [CISCO-SDEE] XML Race Condition in Internet Explorer || url,wiki.quadrantsec.com/bin/view/Main/6105640 6105641 || [CISCO-SDEE] MS DTC DoS || url,wiki.quadrantsec.com/bin/view/Main/6105641 6105642 || [CISCO-SDEE] DirectShow Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105642 6105643 || [CISCO-SDEE] Sox WAV File Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105643 6105644 || [CISCO-SDEE] Client Service for NetWare Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105644 6105645 || [CISCO-SDEE] SSH URI Handler || url,wiki.quadrantsec.com/bin/view/Main/6105645 6105646 || [CISCO-SDEE] Gatekeeper Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105646 6105647 || [CISCO-SDEE] Savant Webserver Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105647 6105648 || [CISCO-SDEE] Tomcat Denial of Service Attack || url,wiki.quadrantsec.com/bin/view/Main/6105648 6105649 || [CISCO-SDEE] ESignal Remote Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105649 6105650 || [CISCO-SDEE] Finjan SurfinGate FHTTP Restart Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105650 6105651 || [CISCO-SDEE] Helix Server DoS || url,wiki.quadrantsec.com/bin/view/Main/6105651 6105652 || [CISCO-SDEE] FTP Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105652 6105653 || [CISCO-SDEE] Cisco WLSE/HSE Default Username || url,wiki.quadrantsec.com/bin/view/Main/6105653 6105654 || [CISCO-SDEE] FTP Root Drive Access Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105654 6105655 || [CISCO-SDEE] Cobalt RaQ Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105655 6105656 || [CISCO-SDEE] Oracle TNS Listener DoS || url,wiki.quadrantsec.com/bin/view/Main/6105656 6105657 || [CISCO-SDEE] AMLServer Local Path Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105657 6105658 || [CISCO-SDEE] Apache Tomcat JSP Engine DoS || url,wiki.quadrantsec.com/bin/view/Main/6105658 6105659 || [CISCO-SDEE] VMWare GSX Server Authentication Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105659 6105660 || [CISCO-SDEE] SquirrelMail Email Header Script Injection || url,wiki.quadrantsec.com/bin/view/Main/6105660 6105661 || [CISCO-SDEE] Long HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105661 6105662 || [CISCO-SDEE] HTTP POST Content-Type Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105662 6105663 || [CISCO-SDEE] NoOp Sled On HTTPS Port || url,wiki.quadrantsec.com/bin/view/Main/6105663 6105664 || [CISCO-SDEE] Apache Tomcat Null Byte File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105664 6105665 || [CISCO-SDEE] Ultimate PHP Board Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105665 6105666 || [CISCO-SDEE] Unix chetcpasswd.cgi File Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105666 6105667 || [CISCO-SDEE] Site Searcher Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105667 6105668 || [CISCO-SDEE] Unauthenticated FTP Connection || url,wiki.quadrantsec.com/bin/view/Main/6105668 6105669 || [CISCO-SDEE] Arkeia Type 74 Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105669 6105671 || [CISCO-SDEE] IMAP Select Excessive Length || url,wiki.quadrantsec.com/bin/view/Main/6105671 6105672 || [CISCO-SDEE] Computer Associates Message Queuing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105672 6105673 || [CISCO-SDEE] NetBackup Format String || url,wiki.quadrantsec.com/bin/view/Main/6105673 6105674 || [CISCO-SDEE] Snort Back Orifice Preprocessor Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105674 6105675 || [CISCO-SDEE] HP-UX LPD Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105675 6105676 || [CISCO-SDEE] News Manager Lite Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105676 6105677 || [CISCO-SDEE] Helix Universal Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105677 6105678 || [CISCO-SDEE] AWStats Plugin Log Access || url,wiki.quadrantsec.com/bin/view/Main/6105678 6105679 || [CISCO-SDEE] Oracle TNS Listener Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6105679 6105680 || [CISCO-SDEE] Apache Line Feed DoS || url,wiki.quadrantsec.com/bin/view/Main/6105680 6105681 || [CISCO-SDEE] ISC DHCP Daemon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105681 6105683 || [CISCO-SDEE] Vista Feed Headlines Gadget Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105683 6105684 || [CISCO-SDEE] Malformed SIP Packet || url,wiki.quadrantsec.com/bin/view/Main/6105684 6105685 || [CISCO-SDEE] WebBBS Command Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105685 6105686 || [CISCO-SDEE] Long POPPASSWD String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105686 6105687 || [CISCO-SDEE] IE Frame Cross Zone Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105687 6105688 || [CISCO-SDEE] RSA WebAgent Redirect Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105688 6105689 || [CISCO-SDEE] MSSQL Resolution Service Keep-Alive DoS || url,wiki.quadrantsec.com/bin/view/Main/6105689 6105692 || [CISCO-SDEE] Macromedia Flash Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105692 6105693 || [CISCO-SDEE] Metafile Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105693 6105694 || [CISCO-SDEE] Enhanced Metafile Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105694 6105695 || [CISCO-SDEE] Enhanced Metafile DoS || url,wiki.quadrantsec.com/bin/view/Main/6105695 6105696 || [CISCO-SDEE] Midi Decoder Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105696 6105697 || [CISCO-SDEE] Script in Email Body || url,wiki.quadrantsec.com/bin/view/Main/6105697 6105698 || [CISCO-SDEE] LanMan DoS || url,wiki.quadrantsec.com/bin/view/Main/6105698 6105699 || [CISCO-SDEE] SalesLogix File Upload Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105699 6105700 || [CISCO-SDEE] PHP cURL Arbitrary File Access || url,wiki.quadrantsec.com/bin/view/Main/6105700 6105701 || [CISCO-SDEE] Oracle Soap Request || url,wiki.quadrantsec.com/bin/view/Main/6105701 6105703 || [CISCO-SDEE] Video Surveillance IP Gateway Encoder/Decoder Telnet Authentication Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105703 6105705 || [CISCO-SDEE] iPlanet Web Server Remote Root Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105705 6105706 || [CISCO-SDEE] Persistent Content in a Dynamic Webpage || url,wiki.quadrantsec.com/bin/view/Main/6105706 6105708 || [CISCO-SDEE] SWAT Pre-Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105708 6105710 || [CISCO-SDEE] Eicar Standard Anti-Virus Test File || url,wiki.quadrantsec.com/bin/view/Main/6105710 6105711 || [CISCO-SDEE] Malformed URL || url,wiki.quadrantsec.com/bin/view/Main/6105711 6105713 || [CISCO-SDEE] Zip File Name Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105713 6105714 || [CISCO-SDEE] GKrellM Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105714 6105715 || [CISCO-SDEE] SAP Internet Transaction Server Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6105715 6105716 || [CISCO-SDEE] IOS Stack Group Bidding Protocol DoS || url,wiki.quadrantsec.com/bin/view/Main/6105716 6105717 || [CISCO-SDEE] Ipswitch SMTP Format String || url,wiki.quadrantsec.com/bin/view/Main/6105717 6105718 || [CISCO-SDEE] VERITAS NetBackup Volume Manager Daemon Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105718 6105720 || [CISCO-SDEE] Lyris ListManager SQL Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6105720 6105722 || [CISCO-SDEE] Google Appliance ProxyStyleSheet Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105722 6105723 || [CISCO-SDEE] Microsoft IIS .dll DoS || url,wiki.quadrantsec.com/bin/view/Main/6105723 6105724 || [CISCO-SDEE] Nikto Scan || url,wiki.quadrantsec.com/bin/view/Main/6105724 6105725 || [CISCO-SDEE] Novell NMAP Agent Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105725 6105726 || [CISCO-SDEE] Active Directory Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6105726 6105727 || [CISCO-SDEE] Cisco VPN 3000 Concentrator HTTP Attack Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105727 6105728 || [CISCO-SDEE] Windows IGMP DoS || url,wiki.quadrantsec.com/bin/view/Main/6105728 6105729 || [CISCO-SDEE] Windows Media Player Browser Plug-in Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105729 6105730 || [CISCO-SDEE] Winamp Playlist File Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105730 6105731 || [CISCO-SDEE] Windows Media Player BMP Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105731 6105732 || [CISCO-SDEE] Web Client Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105732 6105733 || [CISCO-SDEE] Long HTTP Header Hostname || url,wiki.quadrantsec.com/bin/view/Main/6105733 6105734 || [CISCO-SDEE] IE isComponentInstalled() Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105734 6105735 || [CISCO-SDEE] Macromedia Flash Player ActionDefineFunction Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105735 6105736 || [CISCO-SDEE] WinVNC Client Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105736 6105737 || [CISCO-SDEE] Internet Explorer Action Handlers Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105737 6105738 || [CISCO-SDEE] Windows ACS Registry Access || url,wiki.quadrantsec.com/bin/view/Main/6105738 6105739 || [CISCO-SDEE] Active Directory Failed Login || url,wiki.quadrantsec.com/bin/view/Main/6105739 6105740 || [CISCO-SDEE] Kerio Personal Firewall Remote Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105740 6105743 || [CISCO-SDEE] PeerCast Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105743 6105744 || [CISCO-SDEE] IMAP Login DoS || url,wiki.quadrantsec.com/bin/view/Main/6105744 6105745 || [CISCO-SDEE] FTP REST command || url,wiki.quadrantsec.com/bin/view/Main/6105745 6105746 || [CISCO-SDEE] FTP ALLO command || url,wiki.quadrantsec.com/bin/view/Main/6105746 6105747 || [CISCO-SDEE] MDAC Function Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105747 6105748 || [CISCO-SDEE] Non-SMTP Session Start || url,wiki.quadrantsec.com/bin/view/Main/6105748 6105749 || [CISCO-SDEE] Internet Explorer Double Byte Character Parsing || url,wiki.quadrantsec.com/bin/view/Main/6105749 6105750 || [CISCO-SDEE] WLSE Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105750 6105751 || [CISCO-SDEE] Ultr@VNC Client Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105751 6105752 || [CISCO-SDEE] Sybase EAServer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105752 6105753 || [CISCO-SDEE] Office Mailto Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105753 6105754 || [CISCO-SDEE] PAJAX Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105754 6105756 || [CISCO-SDEE] Embedded TCP Connection Relay || url,wiki.quadrantsec.com/bin/view/Main/6105756 6105757 || [CISCO-SDEE] Microsoft Exchange Server Cross-Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105757 6105758 || [CISCO-SDEE] Bomberclone Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105758 6105759 || [CISCO-SDEE] VNC Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105759 6105760 || [CISCO-SDEE] Novell GroupWise Messenger Accept-Language Value Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105760 6105761 || [CISCO-SDEE] Ultr@VNC Server Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105761 6105763 || [CISCO-SDEE] Wireless Control System Cross Server Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105763 6105764 || [CISCO-SDEE] ShixxNOTE Font Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105764 6105765 || [CISCO-SDEE] Horde Help Viewer Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105765 6105766 || [CISCO-SDEE] DNS Resolution Response Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105766 6105767 || [CISCO-SDEE] FreeSSHd Key Exchange Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105767 6105768 || [CISCO-SDEE] Warez Activity || url,wiki.quadrantsec.com/bin/view/Main/6105768 6105769 || [CISCO-SDEE] Malformed HTTP Request || url,wiki.quadrantsec.com/bin/view/Main/6105769 6105770 || [CISCO-SDEE] Cisco Secure ACS XSS || url,wiki.quadrantsec.com/bin/view/Main/6105770 6105771 || [CISCO-SDEE] Winny Activity || url,wiki.quadrantsec.com/bin/view/Main/6105771 6105772 || [CISCO-SDEE] ASP.NET Information Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105772 6105773 || [CISCO-SDEE] Simple PHP Blog Unauthorized File Access || url,wiki.quadrantsec.com/bin/view/Main/6105773 6105774 || [CISCO-SDEE] Windows Media Player PNG Processing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105774 6105775 || [CISCO-SDEE] MHTML Redirection || url,wiki.quadrantsec.com/bin/view/Main/6105775 6105776 || [CISCO-SDEE] Routing and Remote Access Service Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105776 6105777 || [CISCO-SDEE] Mozilla Favicon Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105777 6105778 || [CISCO-SDEE] Windows Uplddrvinfo.htm File Deletion Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105778 6105779 || [CISCO-SDEE] ICCP COTP Connection Request || url,wiki.quadrantsec.com/bin/view/Main/6105779 6105780 || [CISCO-SDEE] ICCP COTP Connection Established || url,wiki.quadrantsec.com/bin/view/Main/6105780 6105781 || [CISCO-SDEE] ICCP Client Association || url,wiki.quadrantsec.com/bin/view/Main/6105781 6105782 || [CISCO-SDEE] ICCP MMS Write Request Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105782 6105783 || [CISCO-SDEE] ICCP MMS Write Request Succeeded || url,wiki.quadrantsec.com/bin/view/Main/6105783 6105784 || [CISCO-SDEE] ICCP COTP Address Unknown Disconnect || url,wiki.quadrantsec.com/bin/view/Main/6105784 6105785 || [CISCO-SDEE] ICCP COTP Protocol Error Disconnect || url,wiki.quadrantsec.com/bin/view/Main/6105785 6105786 || [CISCO-SDEE] ICCP Invalid OSI SSEL || url,wiki.quadrantsec.com/bin/view/Main/6105786 6105787 || [CISCO-SDEE] ICCP Invalid OSI PSEL || url,wiki.quadrantsec.com/bin/view/Main/6105787 6105788 || [CISCO-SDEE] ICCP Invalid TPKT Protocol || url,wiki.quadrantsec.com/bin/view/Main/6105788 6105789 || [CISCO-SDEE] HTTP Tunnel Client Activity || url,wiki.quadrantsec.com/bin/view/Main/6105789 6105790 || [CISCO-SDEE] CS-MARS JBoss Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105790 6105792 || [CISCO-SDEE] Excel Hyperlink Object Library Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105792 6105793 || [CISCO-SDEE] SMB Server Driver Remote Execution || url,wiki.quadrantsec.com/bin/view/Main/6105793 6105794 || [CISCO-SDEE] Routing and Remote Access Service RASMAN Registry Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105794 6105795 || [CISCO-SDEE] DHCP Option Overflow Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105795 6105796 || [CISCO-SDEE] Cisco IOS HTTP Unauthorized Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105796 6105797 || [CISCO-SDEE] Exchange Calendar DoS || url,wiki.quadrantsec.com/bin/view/Main/6105797 6105798 || [CISCO-SDEE] Mambo PHP sbp File Inclusion Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105798 6105799 || [CISCO-SDEE] Server Service Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105799 6105800 || [CISCO-SDEE] HTTP Large Content-Type || url,wiki.quadrantsec.com/bin/view/Main/6105800 6105801 || [CISCO-SDEE] Quicktime JPEG Code Execution Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105801 6105802 || [CISCO-SDEE] MHTML URI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105802 6105803 || [CISCO-SDEE] Sygate Login Servlet SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105803 6105804 || [CISCO-SDEE] VPN3000 Concentrator Unauthenticated FTP Access || url,wiki.quadrantsec.com/bin/view/Main/6105804 6105805 || [CISCO-SDEE] VPN3000 Concentrator FTP RMD Execution || url,wiki.quadrantsec.com/bin/view/Main/6105805 6105806 || [CISCO-SDEE] Winny P2P Connection Activity || url,wiki.quadrantsec.com/bin/view/Main/6105806 6105807 || [CISCO-SDEE] Indexing Service Cross Site Scripting Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105807 6105809 || [CISCO-SDEE] DCERPC Authentication DoS || url,wiki.quadrantsec.com/bin/view/Main/6105809 6105810 || [CISCO-SDEE] SecureCRT SSH1 Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105810 6105812 || [CISCO-SDEE] Cisco IPS SSL DOS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105812 6105813 || [CISCO-SDEE] Microsoft Internet Explorer Vector Markup Language Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105813 6105814 || [CISCO-SDEE] Step-by-Step Interactive Training Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105814 6105815 || [CISCO-SDEE] WebViewFolderIcon setSlice() Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105815 6105816 || [CISCO-SDEE] TOR Client Activity || url,wiki.quadrantsec.com/bin/view/Main/6105816 6105817 || [CISCO-SDEE] ASP .NET Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105817 6105818 || [CISCO-SDEE] Metasploit Shellcode Encoder || url,wiki.quadrantsec.com/bin/view/Main/6105818 6105819 || [CISCO-SDEE] Long FTP XCRC XSHA1 XMD5 Command || url,wiki.quadrantsec.com/bin/view/Main/6105819 6105820 || [CISCO-SDEE] Symantec AntiVirus and Client Security Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105820 6105821 || [CISCO-SDEE] DirectAnimation ActiveX Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105821 6105822 || [CISCO-SDEE] Workstation Service Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105822 6105823 || [CISCO-SDEE] McAfee Epolicy Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105823 6105824 || [CISCO-SDEE] HTTP Header DoS || url,wiki.quadrantsec.com/bin/view/Main/6105824 6105825 || [CISCO-SDEE] SIP Malformed Invite Packet || url,wiki.quadrantsec.com/bin/view/Main/6105825 6105826 || [CISCO-SDEE] EIQ ESA Topology Delete Device Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105826 6105827 || [CISCO-SDEE] Internet Explorer ActiveX Control Arbitrary Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105827 6105828 || [CISCO-SDEE] Apache Server Side Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105828 6105829 || [CISCO-SDEE] Invalid SSL Packet || url,wiki.quadrantsec.com/bin/view/Main/6105829 6105830 || [CISCO-SDEE] Cisco Secure Access Control Server HTTP Request Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105830 6105831 || [CISCO-SDEE] Cisco Secure Access Control Server RADIUS Accounting Request Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105831 6105832 || [CISCO-SDEE] IOS Crafted IP Option Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105832 6105833 || [CISCO-SDEE] Quicktime RTSP URL Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105833 6105835 || [CISCO-SDEE] Cisco IOS SIP DoS Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105835 6105837 || [CISCO-SDEE] Malformed TCP packet || url,wiki.quadrantsec.com/bin/view/Main/6105837 6105838 || [CISCO-SDEE] IOS NAM SNMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6105838 6105839 || [CISCO-SDEE] Internet Explorer FTP Server Response Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105839 6105840 || [CISCO-SDEE] Internet Explorer CLSID Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105840 6105841 || [CISCO-SDEE] CatOS NAM SNMP Traffic || url,wiki.quadrantsec.com/bin/view/Main/6105841 6105842 || [CISCO-SDEE] Solaris Telnet Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105842 6105843 || [CISCO-SDEE] CA BrightStor Tape Engine Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105843 6105845 || [CISCO-SDEE] Word Memory Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6105845 6105846 || [CISCO-SDEE] FTP 230 Reply Code || url,wiki.quadrantsec.com/bin/view/Main/6105846 6105847 || [CISCO-SDEE] FTP Successful Privileged Login || url,wiki.quadrantsec.com/bin/view/Main/6105847 6105848 || [CISCO-SDEE] Content Management Service Cross-site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105848 6105849 || [CISCO-SDEE] Microsoft Content Management Server Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105849 6105850 || [CISCO-SDEE] Snort DCE/RPC Preprocessor Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105850 6105851 || [CISCO-SDEE] WCS Administrative Directory Access || url,wiki.quadrantsec.com/bin/view/Main/6105851 6105852 || [CISCO-SDEE] Word Malformed String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105852 6105853 || [CISCO-SDEE] SIP Invite DoS || url,wiki.quadrantsec.com/bin/view/Main/6105853 6105854 || [CISCO-SDEE] Cisco CUCM/CUPS Denial of Service Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105854 6105855 || [CISCO-SDEE] Helix Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105855 6105856 || [CISCO-SDEE] Agent URL Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105856 6105857 || [CISCO-SDEE] UPnP Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105857 6105858 || [CISCO-SDEE] DNS Server RPC Interface Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105858 6105859 || [CISCO-SDEE] uTorrent File Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105859 6105860 || [CISCO-SDEE] IOS FTPd Successful Login || url,wiki.quadrantsec.com/bin/view/Main/6105860 6105861 || [CISCO-SDEE] Cisco CNS Netflow Collection Engine Default Password || url,wiki.quadrantsec.com/bin/view/Main/6105861 6105862 || [CISCO-SDEE] Outlook Web Access UTF Character Script Execution || url,wiki.quadrantsec.com/bin/view/Main/6105862 6105863 || [CISCO-SDEE] Internet Explorer CAPICOM.Certificates Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105863 6105864 || [CISCO-SDEE] Exchange Server IMAP Literal Processing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105864 6105865 || [CISCO-SDEE] Microsoft WMS Arbitrary File Rewrite Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105865 6105866 || [CISCO-SDEE] IBM Lotus Domino IMAP CRAM-MD5 Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105866 6105868 || [CISCO-SDEE] IE Navigation Cancel Page Spoofing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105868 6105869 || [CISCO-SDEE] Internet Explorer CSS Tag Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105869 6105870 || [CISCO-SDEE] Win32 API Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105870 6105871 || [CISCO-SDEE] Urlmon.dll COM Object Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6105871 6105873 || [CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105873 6105874 || [CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105874 6105876 || [CISCO-SDEE] WinZip ActiveX Control Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6105876 6105877 || [CISCO-SDEE] IE Protocol Handler Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6105877 6105878 || [CISCO-SDEE] VBE Object ID Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105878 6105879 || [CISCO-SDEE] Apple QuickTime Java QTPointer Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105879 6105880 || [CISCO-SDEE] Sun Java Web Start JNLP File Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105880 6105884 || [CISCO-SDEE] IOS NHRP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105884 6105885 || [CISCO-SDEE] EnjoySAP kweditcontrol.kwedit Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105885 6105886 || [CISCO-SDEE] Sun Java Socks Proxy Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105886 6105887 || [CISCO-SDEE] Microsoft PDWizard ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105887 6105888 || [CISCO-SDEE] TLBINF32.DLL COM Object Instantiation || url,wiki.quadrantsec.com/bin/view/Main/6105888 6105889 || [CISCO-SDEE] NeoTrace ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105889 6105890 || [CISCO-SDEE] Long IMAP SUBSCRIBE Command || url,wiki.quadrantsec.com/bin/view/Main/6105890 6105892 || [CISCO-SDEE] Motive Communications ActiveUtils Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105892 6105893 || [CISCO-SDEE] Cisco IP Phone Remote Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105893 6105894 || [CISCO-SDEE] Storm Worm || url,wiki.quadrantsec.com/bin/view/Main/6105894 6105898 || [CISCO-SDEE] Microsoft Agent HTTP Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105898 6105899 || [CISCO-SDEE] MSN Messenger Webcam Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105899 6105902 || [CISCO-SDEE] AIM Message HTML Injection || url,wiki.quadrantsec.com/bin/view/Main/6105902 6105903 || [CISCO-SDEE] MS SharePoint XSS || url,wiki.quadrantsec.com/bin/view/Main/6105903 6105905 || [CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoof || url,wiki.quadrantsec.com/bin/view/Main/6105905 6105906 || [CISCO-SDEE] Microsoft Malformed Word Document Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105906 6105908 || [CISCO-SDEE] NNTP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105908 6105909 || [CISCO-SDEE] Browser Address Bar Spoofing Attack || url,wiki.quadrantsec.com/bin/view/Main/6105909 6105910 || [CISCO-SDEE] CUCM Centralized TFTP File Locator Service Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105910 6105912 || [CISCO-SDEE] CUCM SIP INVITE UDP Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6105912 6105913 || [CISCO-SDEE] PIX/ASA/FWSM MGCP DoS || url,wiki.quadrantsec.com/bin/view/Main/6105913 6105915 || [CISCO-SDEE] Microsoft FoxPro ActiveX Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105915 6105916 || [CISCO-SDEE] URL Handler Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105916 6105918 || [CISCO-SDEE] AskJeeves Toolbar ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105918 6105919 || [CISCO-SDEE] Microsoft Kodak Image Viewer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105919 6105920 || [CISCO-SDEE] Apple Quicktime VRPanoSampleAtom Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105920 6105921 || [CISCO-SDEE] Apple Quicktime Color Table Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105921 6105922 || [CISCO-SDEE] BEA WebLogic Admin Console Cross Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6105922 6105923 || [CISCO-SDEE] Microsoft Internet Explorer FTP Client Directory Traversal issue || url,wiki.quadrantsec.com/bin/view/Main/6105923 6105924 || [CISCO-SDEE] Mozilla Browsers JavaScript Argument Passing Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105924 6105925 || [CISCO-SDEE] Internet Explorer HTML Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105925 6105926 || [CISCO-SDEE] Oracle ctxsys.driload Access Violation Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105926 6105927 || [CISCO-SDEE] Novell GroupWise WebAccess Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105927 6105928 || [CISCO-SDEE] CSA for Windows System Driver Remote Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105928 6105929 || [CISCO-SDEE] McAfee VirusScan File Name Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105929 6105930 || [CISCO-SDEE] Generic SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105930 6105931 || [CISCO-SDEE] Google Ratproxy || url,wiki.quadrantsec.com/bin/view/Main/6105931 6105933 || [CISCO-SDEE] Oracle Database DBMS_Scheduler Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6105933 6105934 || [CISCO-SDEE] Winamp MP4 Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105934 6105935 || [CISCO-SDEE] Quicktime FlipFileTypeAtom_BtoN Underflow || url,wiki.quadrantsec.com/bin/view/Main/6105935 6105936 || [CISCO-SDEE] QuickTime MOV Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105936 6105937 || [CISCO-SDEE] Oracle Database SUBSCRIPTION_NAME Parameter SQL Injection || url,wiki.quadrantsec.com/bin/view/Main/6105937 6105938 || [CISCO-SDEE] Oracle Database sys.pbsde.init Procedure Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105938 6105939 || [CISCO-SDEE] Word Text Box Memory Curruption || url,wiki.quadrantsec.com/bin/view/Main/6105939 6105940 || [CISCO-SDEE] HTML Objects Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105940 6105941 || [CISCO-SDEE] Windows CSRSS Message Box Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105941 6105942 || [CISCO-SDEE] Yahoo Messenger AudioConf ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105942 6105943 || [CISCO-SDEE] Oracle Database Server SQL Query Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105943 6105944 || [CISCO-SDEE] eTrust IDS Encryption Key DoS || url,wiki.quadrantsec.com/bin/view/Main/6105944 6105945 || [CISCO-SDEE] MS IE Cross Frame Scripting Restriction Bypass || url,wiki.quadrantsec.com/bin/view/Main/6105945 6105948 || [CISCO-SDEE] Ingres Database uuid_from_char() Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105948 6105949 || [CISCO-SDEE] Multiple HP Web Jetadmin Vulnerabilities || url,wiki.quadrantsec.com/bin/view/Main/6105949 6105950 || [CISCO-SDEE] Excel Malformed String Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105950 6105951 || [CISCO-SDEE] BrightStor ARCserve Backup MSRPC Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105951 6105952 || [CISCO-SDEE] WordPerfect Importer/Exporter Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105952 6105953 || [CISCO-SDEE] Apache Tomcat Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6105953 6105954 || [CISCO-SDEE] ePolicy Orchestrator SiteManager ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105954 6105955 || [CISCO-SDEE] QuickTime udta Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105955 6105956 || [CISCO-SDEE] Multiple Vendor SOAP DoS || url,wiki.quadrantsec.com/bin/view/Main/6105956 6105957 || [CISCO-SDEE] QuickTime Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105957 6105959 || [CISCO-SDEE] Citrix ICA Client ActiveX Control Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105959 6105960 || [CISCO-SDEE] Mozilla Regular Expressions Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105960 6105961 || [CISCO-SDEE] Oracle Database Server MD2 package SDO_CODE_SIZE procedure Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105961 6105963 || [CISCO-SDEE] Kerberos V5 Principal Name Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105963 6105966 || [CISCO-SDEE] Symantec Veritas NetBackup Server bpcd Long Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105966 6105967 || [CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105967 6105971 || [CISCO-SDEE] IE daxctle.ocx KeyFrame Memory Curruption || url,wiki.quadrantsec.com/bin/view/Main/6105971 6105972 || [CISCO-SDEE] QuickTime Movie Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105972 6105973 || [CISCO-SDEE] Publisher Font Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105973 6105974 || [CISCO-SDEE] Oracle Database Server SDO_CS.TRANSFORM_LAYER Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105974 6105975 || [CISCO-SDEE] Microsoft Windows Media Player ASX Playlist Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105975 6105976 || [CISCO-SDEE] Avast! Remote LHA Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105976 6105977 || [CISCO-SDEE] DB2 Handshake DoS || url,wiki.quadrantsec.com/bin/view/Main/6105977 6105978 || [CISCO-SDEE] MailEnable SMTP Service SPF Lookup Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105978 6105979 || [CISCO-SDEE] Microsoft Internet Explorer COM Object Instantiation Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105979 6105980 || [CISCO-SDEE] Microsoft Speech API Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105980 6105982 || [CISCO-SDEE] Visual Basic for Applications SDK Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105982 6105983 || [CISCO-SDEE] Microsoft Internet Explorer VML Buffer Overrun || url,wiki.quadrantsec.com/bin/view/Main/6105983 6105984 || [CISCO-SDEE] IE COM Object Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6105984 6105985 || [CISCO-SDEE] Quicktime RTSP Content-Type Excessive Length || url,wiki.quadrantsec.com/bin/view/Main/6105985 6105986 || [CISCO-SDEE] Microsoft GDI GIF Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105986 6105987 || [CISCO-SDEE] Mozilla Products SVG layout vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6105987 6105991 || [CISCO-SDEE] MaxDB WebDBM Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105991 6105993 || [CISCO-SDEE] IE COM Object Instantiation Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6105993 6105994 || [CISCO-SDEE] ImageMagick SGI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105994 6105997 || [CISCO-SDEE] eGatherer RunEgatherer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6105997 6105998 || [CISCO-SDEE] SYS.KUPW-WORKER Package MAIN Procedure SQL Injection Attempt || url,wiki.quadrantsec.com/bin/view/Main/6105998 6106000 || [CISCO-SDEE] Oracle Server Reports Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6106000 6106003 || [CISCO-SDEE] SNMP Community String Private || url,wiki.quadrantsec.com/bin/view/Main/6106003 6106004 || [CISCO-SDEE] IOS HTTP Server Iframe Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106004 6106005 || [CISCO-SDEE] Unencrypted SSL Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106005 6106007 || [CISCO-SDEE] Management Console Cross-Site Scripting || url,wiki.quadrantsec.com/bin/view/Main/6106007 6106008 || [CISCO-SDEE] First 4 Internet XCP Uninstallation ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106008 6106009 || [CISCO-SDEE] SYN Flood DOS || url,wiki.quadrantsec.com/bin/view/Main/6106009 6106011 || [CISCO-SDEE] Internet Explorer FTP Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106011 6106012 || [CISCO-SDEE] EIQ License Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106012 6106013 || [CISCO-SDEE] IRCBOT_JK DNS Lookup || url,wiki.quadrantsec.com/bin/view/Main/6106013 6106014 || [CISCO-SDEE] Flash Player Improper Memory Access || url,wiki.quadrantsec.com/bin/view/Main/6106014 6106015 || [CISCO-SDEE] Flash ActionDefineFunction Improper Memory Access || url,wiki.quadrantsec.com/bin/view/Main/6106015 6106016 || [CISCO-SDEE] RIM BlackBerry Enterprise Router DoS || url,wiki.quadrantsec.com/bin/view/Main/6106016 6106017 || [CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106017 6106020 || [CISCO-SDEE] QuickTime PictureViewer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106020 6106022 || [CISCO-SDEE] WebSphere J_Username Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106022 6106023 || [CISCO-SDEE] IE JavaScript window() DoS || url,wiki.quadrantsec.com/bin/view/Main/6106023 6106024 || [CISCO-SDEE] Firefox JavaScript Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106024 6106025 || [CISCO-SDEE] Jet DB Engine Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106025 6106026 || [CISCO-SDEE] Squid Gopher Protocol Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106026 6106027 || [CISCO-SDEE] Outlook Word Malformed Object Tag || url,wiki.quadrantsec.com/bin/view/Main/6106027 6106030 || [CISCO-SDEE] Microsoft Windows Message Queuing Service Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106030 6106031 || [CISCO-SDEE] Mcafee FreeScan Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106031 6106039 || [CISCO-SDEE] DOMNodeRemoved Mutation Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106039 6106040 || [CISCO-SDEE] Symantec Scan Engine Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106040 6106041 || [CISCO-SDEE] Mozilla Firefox CSS Letter-Spacing Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106041 6106045 || [CISCO-SDEE] MHTTP Response Splitting || url,wiki.quadrantsec.com/bin/view/Main/6106045 6106046 || [CISCO-SDEE] InterNetNews NULL Path Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106046 6106047 || [CISCO-SDEE] TrendMicro InterScan Viruswall Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6106047 6106048 || [CISCO-SDEE] Oracle Database Server SQL SYS.KUPV Injection || url,wiki.quadrantsec.com/bin/view/Main/6106048 6106049 || [CISCO-SDEE] Oracle Database Server Login Access Control Bypass Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106049 6106050 || [CISCO-SDEE] DNS HINFO Request || url,wiki.quadrantsec.com/bin/view/Main/6106050 6106051 || [CISCO-SDEE] DNS Zone Transfer || url,wiki.quadrantsec.com/bin/view/Main/6106051 6106052 || [CISCO-SDEE] DNS Zone Transfer from High Port || url,wiki.quadrantsec.com/bin/view/Main/6106052 6106053 || [CISCO-SDEE] DNS Request for All Records || url,wiki.quadrantsec.com/bin/view/Main/6106053 6106054 || [CISCO-SDEE] DNS Version Request || url,wiki.quadrantsec.com/bin/view/Main/6106054 6106055 || [CISCO-SDEE] DNS Inverse Query Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106055 6106056 || [CISCO-SDEE] DNS NXT Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106056 6106057 || [CISCO-SDEE] DNS SIG Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106057 6106058 || [CISCO-SDEE] DNS SRV DoS || url,wiki.quadrantsec.com/bin/view/Main/6106058 6106059 || [CISCO-SDEE] DNS TSIG Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106059 6106060 || [CISCO-SDEE] DNS Complain Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106060 6106061 || [CISCO-SDEE] DNS Infoleak || url,wiki.quadrantsec.com/bin/view/Main/6106061 6106062 || [CISCO-SDEE] DNS Authors Request || url,wiki.quadrantsec.com/bin/view/Main/6106062 6106063 || [CISCO-SDEE] DNS Incremental Zone Transfer || url,wiki.quadrantsec.com/bin/view/Main/6106063 6106064 || [CISCO-SDEE] BIND Large OPT Record DoS || url,wiki.quadrantsec.com/bin/view/Main/6106064 6106065 || [CISCO-SDEE] DNS Query Name Loop DoS || url,wiki.quadrantsec.com/bin/view/Main/6106065 6106066 || [CISCO-SDEE] DNS Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106066 6106067 || [CISCO-SDEE] DNS TSIG Bugtraq Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106067 6106068 || [CISCO-SDEE] Cisco Wireless Control System Administrative Default Password || url,wiki.quadrantsec.com/bin/view/Main/6106068 6106069 || [CISCO-SDEE] Windows Media Format Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106069 6106070 || [CISCO-SDEE] Windows Media Format Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106070 6106071 || [CISCO-SDEE] Oracle Database Server XDB.DBMS_XMLSCHEMA Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106071 6106072 || [CISCO-SDEE] Visual Basic VBP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106072 6106073 || [CISCO-SDEE] Visual Studio Crystal Reports RPT File Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106073 6106074 || [CISCO-SDEE] DirectX RLE Compressed TGA Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106074 6106075 || [CISCO-SDEE] Mozilla SOAPParameter Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106075 6106076 || [CISCO-SDEE] ISC BIND DNS resolver buffer overflow || url,wiki.quadrantsec.com/bin/view/Main/6106076 6106077 || [CISCO-SDEE] IE Malformed GIF File || url,wiki.quadrantsec.com/bin/view/Main/6106077 6106078 || [CISCO-SDEE] Outlook Web Access XSS || url,wiki.quadrantsec.com/bin/view/Main/6106078 6106079 || [CISCO-SDEE] ACDSee Products XPM Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106079 6106080 || [CISCO-SDEE] Adobe Products PNG Parsing || url,wiki.quadrantsec.com/bin/view/Main/6106080 6106081 || [CISCO-SDEE] Microsoft Excel BIFF Parsing || url,wiki.quadrantsec.com/bin/view/Main/6106081 6106082 || [CISCO-SDEE] Microsoft Excel Column Record Handling || url,wiki.quadrantsec.com/bin/view/Main/6106082 6106083 || [CISCO-SDEE] Microsoft Excel SetFont || url,wiki.quadrantsec.com/bin/view/Main/6106083 6106084 || [CISCO-SDEE] IE 7 HTML Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106084 6106085 || [CISCO-SDEE] IE Table Column Record Handling || url,wiki.quadrantsec.com/bin/view/Main/6106085 6106086 || [CISCO-SDEE] Windows Graphics Rendering Engine Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106086 6106087 || [CISCO-SDEE] Symantec ISAKMP DoS || url,wiki.quadrantsec.com/bin/view/Main/6106087 6106088 || [CISCO-SDEE] Windows Compressed Folders Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106088 6106089 || [CISCO-SDEE] PHP memory_limit Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106089 6106090 || [CISCO-SDEE] Libpng Chunk Length Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106090 6106091 || [CISCO-SDEE] Acrobat Reader File Extension Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106091 6106092 || [CISCO-SDEE] Qt BMP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106092 6106094 || [CISCO-SDEE] Nullsoft Winamp M3U Remote Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106094 6106095 || [CISCO-SDEE] Apache apr-util IPv6 URI Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106095 6106100 || [CISCO-SDEE] RPC Port Registration || url,wiki.quadrantsec.com/bin/view/Main/6106100 6106101 || [CISCO-SDEE] RPC Port Unregistration || url,wiki.quadrantsec.com/bin/view/Main/6106101 6106102 || [CISCO-SDEE] RPC Dump || url,wiki.quadrantsec.com/bin/view/Main/6106102 6106103 || [CISCO-SDEE] Proxied RPC Request || url,wiki.quadrantsec.com/bin/view/Main/6106103 6106104 || [CISCO-SDEE] RPC Port Reg Spoof || url,wiki.quadrantsec.com/bin/view/Main/6106104 6106105 || [CISCO-SDEE] RPC Port UnReg Spoof || url,wiki.quadrantsec.com/bin/view/Main/6106105 6106106 || [CISCO-SDEE] Cisco Secure ACS EAP-TLS Authentication Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106106 6106107 || [CISCO-SDEE] CVS File Existence Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106107 6106108 || [CISCO-SDEE] FreeRADIUS Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106108 6106110 || [CISCO-SDEE] RPC RSTATD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106110 6106111 || [CISCO-SDEE] RPC RUSESRD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106111 6106112 || [CISCO-SDEE] RPC NFS Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106112 6106113 || [CISCO-SDEE] RPC MOUNTD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106113 6106114 || [CISCO-SDEE] RPC YPASSWDD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106114 6106115 || [CISCO-SDEE] RPC SELECTION SVC Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106115 6106116 || [CISCO-SDEE] RPC REXD Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106116 6106117 || [CISCO-SDEE] RPC STATUS Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106117 6106118 || [CISCO-SDEE] RPC TTDB Sweep || url,wiki.quadrantsec.com/bin/view/Main/6106118 6106119 || [CISCO-SDEE] MySQL Authentication Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106119 6106120 || [CISCO-SDEE] RPC RSTATD Request || url,wiki.quadrantsec.com/bin/view/Main/6106120 6106121 || [CISCO-SDEE] RPC RUSESRD Request || url,wiki.quadrantsec.com/bin/view/Main/6106121 6106122 || [CISCO-SDEE] RPC NFS Request || url,wiki.quadrantsec.com/bin/view/Main/6106122 6106123 || [CISCO-SDEE] RPC MOUNTD Request || url,wiki.quadrantsec.com/bin/view/Main/6106123 6106124 || [CISCO-SDEE] RPC YPASSWDD Request || url,wiki.quadrantsec.com/bin/view/Main/6106124 6106125 || [CISCO-SDEE] RPC SELECTION SVC Request || url,wiki.quadrantsec.com/bin/view/Main/6106125 6106126 || [CISCO-SDEE] RPC REXD Request || url,wiki.quadrantsec.com/bin/view/Main/6106126 6106127 || [CISCO-SDEE] RPC STATUS Request || url,wiki.quadrantsec.com/bin/view/Main/6106127 6106128 || [CISCO-SDEE] RPC TTDB Request || url,wiki.quadrantsec.com/bin/view/Main/6106128 6106130 || [CISCO-SDEE] Microsoft Message Queuing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106130 6106131 || [CISCO-SDEE] Microsoft Plug and Play Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106131 6106132 || [CISCO-SDEE] Mod SSL- Mod Proxy Hook Format String || url,wiki.quadrantsec.com/bin/view/Main/6106132 6106133 || [CISCO-SDEE] Microsoft Excel Cell Length Buffer Overflow CVE-2004-0846 || url,wiki.quadrantsec.com/bin/view/Main/6106133 6106134 || [CISCO-SDEE] Microsoft ASP.NET Canonicalization || url,wiki.quadrantsec.com/bin/view/Main/6106134 6106135 || [CISCO-SDEE] Sun Solaris in.rwhod Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106135 6106137 || [CISCO-SDEE] Wordpad Default Font Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106137 6106138 || [CISCO-SDEE] Non-ASCII Hostname || url,wiki.quadrantsec.com/bin/view/Main/6106138 6106139 || [CISCO-SDEE] Malicious BMP File || url,wiki.quadrantsec.com/bin/view/Main/6106139 6106140 || [CISCO-SDEE] Squid ASN.1 Header Parsing Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106140 6106141 || [CISCO-SDEE] Macromedia JRun 4.x Server File Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106141 6106142 || [CISCO-SDEE] Apache HTTP Server Mod_Cache Module DoS || url,wiki.quadrantsec.com/bin/view/Main/6106142 6106143 || [CISCO-SDEE] Borland Interbase Database Service Create-Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106143 6106144 || [CISCO-SDEE] X.Org X Font Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106144 6106145 || [CISCO-SDEE] Trend Micro ServerProtect TMregChange Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106145 6106146 || [CISCO-SDEE] Squid WCCP Message Receive Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106146 6106147 || [CISCO-SDEE] RealPlayer RealMedia Security Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106147 6106148 || [CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Off-by-one || url,wiki.quadrantsec.com/bin/view/Main/6106148 6106149 || [CISCO-SDEE] MySQL Arbitrary Library Injection || url,wiki.quadrantsec.com/bin/view/Main/6106149 6106150 || [CISCO-SDEE] ypserv Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106150 6106151 || [CISCO-SDEE] ypbind Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106151 6106152 || [CISCO-SDEE] yppasswdd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106152 6106153 || [CISCO-SDEE] ypupdated Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106153 6106154 || [CISCO-SDEE] ypxfrd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106154 6106155 || [CISCO-SDEE] mountd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106155 6106156 || [CISCO-SDEE] MIT Kerberos kadmind RPC Library Unix Authentication || url,wiki.quadrantsec.com/bin/view/Main/6106156 6106157 || [CISCO-SDEE] MIT Kerberos Kadmind Remote Code Injection || url,wiki.quadrantsec.com/bin/view/Main/6106157 6106158 || [CISCO-SDEE] MIT Kerberos Kadmind Rename Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106158 6106159 || [CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Request DoS || url,wiki.quadrantsec.com/bin/view/Main/6106159 6106160 || [CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106160 6106161 || [CISCO-SDEE] Ingres Database Communications Server Component Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106161 6106162 || [CISCO-SDEE] Ipswitch IMail Server Date String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106162 6106164 || [CISCO-SDEE] Microsoft Word Document Parsing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106164 6106165 || [CISCO-SDEE] nfs-utils TCP Connection Termination Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106165 6106166 || [CISCO-SDEE] Novell eDirectory HTTP Server Redirection Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106166 6106168 || [CISCO-SDEE] Computer Associates Products Message Engine RPC Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106168 6106169 || [CISCO-SDEE] mod_tcl Module Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106169 6106170 || [CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106170 6106171 || [CISCO-SDEE] HP Info Center HPInfoDLL.dll ActiveX Control Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106171 6106172 || [CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function || url,wiki.quadrantsec.com/bin/view/Main/6106172 6106173 || [CISCO-SDEE] Empty DNS Query || url,wiki.quadrantsec.com/bin/view/Main/6106173 6106174 || [CISCO-SDEE] OpenLDAP Server BIND Request Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106174 6106175 || [CISCO-SDEE] rexd Portmap Request || url,wiki.quadrantsec.com/bin/view/Main/6106175 6106177 || [CISCO-SDEE] Malformed SIP Invite Packet || url,wiki.quadrantsec.com/bin/view/Main/6106177 6106178 || [CISCO-SDEE] SIP Message DoS || url,wiki.quadrantsec.com/bin/view/Main/6106178 6106179 || [CISCO-SDEE] Malformed MGCP Packet || url,wiki.quadrantsec.com/bin/view/Main/6106179 6106180 || [CISCO-SDEE] rexd Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106180 6106181 || [CISCO-SDEE] SIP DoS || url,wiki.quadrantsec.com/bin/view/Main/6106181 6106184 || [CISCO-SDEE] Large SIP Message || url,wiki.quadrantsec.com/bin/view/Main/6106184 6106186 || [CISCO-SDEE] RIS Data Collector Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106186 6106187 || [CISCO-SDEE] CallManager TCP Connection DoS || url,wiki.quadrantsec.com/bin/view/Main/6106187 6106188 || [CISCO-SDEE] statd dot dot || url,wiki.quadrantsec.com/bin/view/Main/6106188 6106189 || [CISCO-SDEE] statd automount attack || url,wiki.quadrantsec.com/bin/view/Main/6106189 6106190 || [CISCO-SDEE] statd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106190 6106191 || [CISCO-SDEE] RPC.tooltalk Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106191 6106192 || [CISCO-SDEE] RPC mountd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106192 6106193 || [CISCO-SDEE] RPC CMSD Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106193 6106194 || [CISCO-SDEE] sadmind Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106194 6106195 || [CISCO-SDEE] Sadmind RPC Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106195 6106196 || [CISCO-SDEE] snmpXdmid Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106196 6106197 || [CISCO-SDEE] rpc yppaswdd overflow || url,wiki.quadrantsec.com/bin/view/Main/6106197 6106198 || [CISCO-SDEE] Long rwalld Message || url,wiki.quadrantsec.com/bin/view/Main/6106198 6106199 || [CISCO-SDEE] Cachefsd Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106199 6106200 || [CISCO-SDEE] Ident Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106200 6106201 || [CISCO-SDEE] Ident Newline || url,wiki.quadrantsec.com/bin/view/Main/6106201 6106203 || [CISCO-SDEE] sadmind directory traversal command exec || url,wiki.quadrantsec.com/bin/view/Main/6106203 6106204 || [CISCO-SDEE] IIS Source Code Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106204 6106205 || [CISCO-SDEE] NetBackup Vmd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106205 6106206 || [CISCO-SDEE] WorldMail IMAP Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6106206 6106207 || [CISCO-SDEE] FreeBSD nfsd Request Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106207 6106208 || [CISCO-SDEE] NetBackup Volume Manager Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106208 6106209 || [CISCO-SDEE] NetBackup Vnetd Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106209 6106210 || [CISCO-SDEE] LPR Format String Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106210 6106211 || [CISCO-SDEE] LPD NoOp Sled || url,wiki.quadrantsec.com/bin/view/Main/6106211 6106212 || [CISCO-SDEE] IE HTML Tag Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106212 6106213 || [CISCO-SDEE] Firefox JavaScript Focus Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106213 6106214 || [CISCO-SDEE] LibTIFF TIFFFetchData Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106214 6106215 || [CISCO-SDEE] Novell Print Services Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106215 6106216 || [CISCO-SDEE] EMC Retrospect Client Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106216 6106217 || [CISCO-SDEE] eDirectory iMonitor NDS Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106217 6106218 || [CISCO-SDEE] MediaWiki Script Insertion || url,wiki.quadrantsec.com/bin/view/Main/6106218 6106219 || [CISCO-SDEE] CommuniGate Pro LDAP Server Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106219 6106220 || [CISCO-SDEE] Retrospect Backup Agent Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106220 6106221 || [CISCO-SDEE] IBM Director Agent DoS || url,wiki.quadrantsec.com/bin/view/Main/6106221 6106222 || [CISCO-SDEE] HP OpenView Client Configuration Manager Radia Notify Daemon Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106222 6106223 || [CISCO-SDEE] Citrix MetaFrame IMA Authentication Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106223 6106224 || [CISCO-SDEE] Windows IGMP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106224 6106225 || [CISCO-SDEE] KAME IKE raccoon HASH || url,wiki.quadrantsec.com/bin/view/Main/6106225 6106226 || [CISCO-SDEE] Trojan.Srizbi Bot || url,wiki.quadrantsec.com/bin/view/Main/6106226 6106227 || [CISCO-SDEE] Visual Basic Charts Control Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106227 6106228 || [CISCO-SDEE] Mac OSX Software Update Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106228 6106229 || [CISCO-SDEE] MS SQL Server sqldmo.dll Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106229 6106230 || [CISCO-SDEE] F-Secure Products Web Console Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106230 6106231 || [CISCO-SDEE] Citrix Presentation Server IMA || url,wiki.quadrantsec.com/bin/view/Main/6106231 6106232 || [CISCO-SDEE] Distributed Transaction Coordinator Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106232 6106233 || [CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Tape Engine Service || url,wiki.quadrantsec.com/bin/view/Main/6106233 6106234 || [CISCO-SDEE] VideoLAN VLC Subtitle Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106234 6106235 || [CISCO-SDEE] Apple Quicktime SMIL Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106235 6106236 || [CISCO-SDEE] AMI Pro File Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106236 6106237 || [CISCO-SDEE] MailEnable IMAP Service Login Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106237 6106238 || [CISCO-SDEE] GNU RADIUS SQL Accounting Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106238 6106239 || [CISCO-SDEE] Apple QuickTime RTSP Long URL || url,wiki.quadrantsec.com/bin/view/Main/6106239 6106240 || [CISCO-SDEE] IMAP LOGIN Negative Value || url,wiki.quadrantsec.com/bin/view/Main/6106240 6106242 || [CISCO-SDEE] Trend Micro ServerProtect eng50.dll Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106242 6106243 || [CISCO-SDEE] Sun JRE Abstract Windowing Toolkit Module Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106243 6106244 || [CISCO-SDEE] Microsoft Windows SNMP Service Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106244 6106245 || [CISCO-SDEE] IBM Tivoli Storage Manager Initial Sign-on Request Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106245 6106246 || [CISCO-SDEE] Gateway Weblaunch Activex Control || url,wiki.quadrantsec.com/bin/view/Main/6106246 6106247 || [CISCO-SDEE] Sun Microsystems Java GIF File Handling Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106247 6106248 || [CISCO-SDEE] HP Mercury Loadrunner Agent Command Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106248 6106249 || [CISCO-SDEE] Visual Studio 6 ActiveX Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106249 6106250 || [CISCO-SDEE] FTP Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106250 6106251 || [CISCO-SDEE] Telnet Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106251 6106252 || [CISCO-SDEE] Rlogin Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106252 6106253 || [CISCO-SDEE] POP3 Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106253 6106255 || [CISCO-SDEE] SMB Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106255 6106256 || [CISCO-SDEE] HTTP Authorization Failure || url,wiki.quadrantsec.com/bin/view/Main/6106256 6106257 || [CISCO-SDEE] DHCP Client DoS || url,wiki.quadrantsec.com/bin/view/Main/6106257 6106258 || [CISCO-SDEE] Microsoft IE HTML Rendering Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106258 6106259 || [CISCO-SDEE] HP Linux Printing And Imaging hpssd Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106259 6106260 || [CISCO-SDEE] VERITAS Storage Foundation Administrator Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106260 6106261 || [CISCO-SDEE] ISC DHCP Remote DoS || url,wiki.quadrantsec.com/bin/view/Main/6106261 6106262 || [CISCO-SDEE] Cisco Secure Access Control Server CGI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106262 6106263 || [CISCO-SDEE] XSS in Cisco ACS Server || url,wiki.quadrantsec.com/bin/view/Main/6106263 6106264 || [CISCO-SDEE] Excel Malformed Header || url,wiki.quadrantsec.com/bin/view/Main/6106264 6106265 || [CISCO-SDEE] Microsoft Jet Database Engine Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106265 6106266 || [CISCO-SDEE] Excel Malformed Header || url,wiki.quadrantsec.com/bin/view/Main/6106266 6106267 || [CISCO-SDEE] IMAP Long FETCH Command || url,wiki.quadrantsec.com/bin/view/Main/6106267 6106268 || [CISCO-SDEE] HP Openview Network Node Manager Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106268 6106269 || [CISCO-SDEE] HP Openview Operations Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106269 6106270 || [CISCO-SDEE] HP OpenView Network Node Manager Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106270 6106271 || [CISCO-SDEE] VMWare ActiveX Arbitrary File Access || url,wiki.quadrantsec.com/bin/view/Main/6106271 6106272 || [CISCO-SDEE] Novell iPrint Client ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106272 6106273 || [CISCO-SDEE] Microsoft Works ActiveX WkImgSrv.dll Insecure Function || url,wiki.quadrantsec.com/bin/view/Main/6106273 6106274 || [CISCO-SDEE] McAfee ePolicy Orchestrator Format String || url,wiki.quadrantsec.com/bin/view/Main/6106274 6106275 || [CISCO-SDEE] SGI fam Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106275 6106276 || [CISCO-SDEE] TooltalkDB overflow || url,wiki.quadrantsec.com/bin/view/Main/6106276 6106277 || [CISCO-SDEE] Show Mount Recon || url,wiki.quadrantsec.com/bin/view/Main/6106277 6106278 || [CISCO-SDEE] Office Web Components DataSource Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106278 6106279 || [CISCO-SDEE] Citrix Presentation Server Client ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106279 6106280 || [CISCO-SDEE] Messenger Information Disclosure Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106280 6106281 || [CISCO-SDEE] Malformed EPS Filter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106281 6106282 || [CISCO-SDEE] Malformed PICT Filter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106282 6106283 || [CISCO-SDEE] Malformed BMP Filter Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106283 6106284 || [CISCO-SDEE] Openwsman HTTP Basic Authentication Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106284 6106295 || [CISCO-SDEE] LANDesk Intel QIP Service Heal Packet Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106295 6106296 || [CISCO-SDEE] IBM Lotus Sametime Server Multiplexer Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106296 6106297 || [CISCO-SDEE] RealPlayer ActiveX Import Method Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106297 6106298 || [CISCO-SDEE] Creative Software AutoUpdate Engine ActiveX Stack-Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106298 6106299 || [CISCO-SDEE] Namo ActiveSquare6 ActiveX Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106299 6106300 || [CISCO-SDEE] Loki ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106300 6106302 || [CISCO-SDEE] General Loki ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106302 6106303 || [CISCO-SDEE] PingTunnel ICMP Tunneling || url,wiki.quadrantsec.com/bin/view/Main/6106303 6106350 || [CISCO-SDEE] MS-SQL Query Abuse || url,wiki.quadrantsec.com/bin/view/Main/6106350 6106402 || [CISCO-SDEE] Samba SPOOLSS Notify Options Heap overflow || url,wiki.quadrantsec.com/bin/view/Main/6106402 6106403 || [CISCO-SDEE] IE Uninitialized Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106403 6106406 || [CISCO-SDEE] DirectShow WAV Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106406 6106408 || [CISCO-SDEE] IE DHTML Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106408 6106409 || [CISCO-SDEE] IE Invalid Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106409 6106410 || [CISCO-SDEE] IE Unsafe Memory Operation || url,wiki.quadrantsec.com/bin/view/Main/6106410 6106412 || [CISCO-SDEE] Malformed BGP Message || url,wiki.quadrantsec.com/bin/view/Main/6106412 6106413 || [CISCO-SDEE] McAfee Subscription Manager ActiveX Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106413 6106414 || [CISCO-SDEE] ClamAV UPX File Handling Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106414 6106416 || [CISCO-SDEE] Microsoft Windows Help HLP File Processing Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106416 6106417 || [CISCO-SDEE] JavaScript Navigator Object Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106417 6106418 || [CISCO-SDEE] Apache HTTP Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106418 6106419 || [CISCO-SDEE] Oracle Database dbms_assert Filter Bypass Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106419 6106420 || [CISCO-SDEE] Microsoft Office Malformed GIF File Processing Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106420 6106421 || [CISCO-SDEE] Microsoft Excel Malformed SELECTION Record Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106421 6106422 || [CISCO-SDEE] Microsoft ASP.NET Application Folder Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106422 6106423 || [CISCO-SDEE] Microsoft XML Core Services Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106423 6106424 || [CISCO-SDEE] Microsoft PowerPoint PPT File Parsing Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106424 6106425 || [CISCO-SDEE] Microsoft Excel Malformed OBJECT Record Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106425 6106426 || [CISCO-SDEE] Microsoft Word mso.dll LsCreateLine Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106426 6106427 || [CISCO-SDEE] zlib Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106427 6106430 || [CISCO-SDEE] Microsoft Internet Explorer CSS Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106430 6106431 || [CISCO-SDEE] Oracle Web Cache Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106431 6106432 || [CISCO-SDEE] Subversion svn Protocol String Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106432 6106433 || [CISCO-SDEE] Norton Internet Security NBNS Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106433 6106436 || [CISCO-SDEE] Citrix Program Neighborhood Agent Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106436 6106437 || [CISCO-SDEE] RealNetworks RealPlayer Compressed Skin Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106437 6106443 || [CISCO-SDEE] IMail IMAP Fetch Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106443 6106444 || [CISCO-SDEE] iGateway Content-Length Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106444 6106445 || [CISCO-SDEE] SUSE Remote Manager Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106445 6106446 || [CISCO-SDEE] Adobe Acrobat Reader eBook plug-in Format String Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106446 6106449 || [CISCO-SDEE] Apache Tomcat Mod_jk Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106449 6106450 || [CISCO-SDEE] pcAnywhere Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106450 6106451 || [CISCO-SDEE] MediaWiki Language Option PHP Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106451 6106454 || [CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106454 6106456 || [CISCO-SDEE] Flash Media Server DoS || url,wiki.quadrantsec.com/bin/view/Main/6106456 6106457 || [CISCO-SDEE] Lotus Notes URI Handler Argument Injection || url,wiki.quadrantsec.com/bin/view/Main/6106457 6106458 || [CISCO-SDEE] Microsoft Windows Media Player File Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106458 6106459 || [CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106459 6106462 || [CISCO-SDEE] Microsoft Internet Explorer CDF Cross Domain Scripting || url,wiki.quadrantsec.com/bin/view/Main/6106462 6106466 || [CISCO-SDEE] Squid WCCP Message Parsing Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106466 6106467 || [CISCO-SDEE] Mozilla Firefox Click Event Classification Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106467 6106468 || [CISCO-SDEE] Multiple Vendor AV Gateway Virus Detection Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106468 6106477 || [CISCO-SDEE] Multiple Web Browsers Window Injection. || url,wiki.quadrantsec.com/bin/view/Main/6106477 6106486 || [CISCO-SDEE] Novell iManager Tomcat HTTP POST Request Handling Denial of Service || url,wiki.quadrantsec.com/bin/view/Main/6106486 6106487 || [CISCO-SDEE] TikiWiki jhot.php Script File Upload Security Bypass || url,wiki.quadrantsec.com/bin/view/Main/6106487 6106488 || [CISCO-SDEE] Symantec Veritas NetBackup Command Chaining || url,wiki.quadrantsec.com/bin/view/Main/6106488 6106489 || [CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106489 6106491 || [CISCO-SDEE] Alt-N MDAEMON IMAP Server Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106491 6106493 || [CISCO-SDEE] Microsoft Windows Graphics Rendering Engine Buffer Overflow Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106493 6106494 || [CISCO-SDEE] IMAP APPEND Date Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106494 6106496 || [CISCO-SDEE] Microsoft Internet Explorer URL Spoofing Vulnerability Details || url,wiki.quadrantsec.com/bin/view/Main/6106496 6106500 || [CISCO-SDEE] RingZero Trojan || url,wiki.quadrantsec.com/bin/view/Main/6106500 6106501 || [CISCO-SDEE] Tribe Flood Net Client Request || url,wiki.quadrantsec.com/bin/view/Main/6106501 6106502 || [CISCO-SDEE] Tribe Flood Net Server Reply || url,wiki.quadrantsec.com/bin/view/Main/6106502 6106503 || [CISCO-SDEE] Stacheldraht Client Request || url,wiki.quadrantsec.com/bin/view/Main/6106503 6106504 || [CISCO-SDEE] Stacheldraht Server Reply || url,wiki.quadrantsec.com/bin/view/Main/6106504 6106505 || [CISCO-SDEE] Trinoo Client Request || url,wiki.quadrantsec.com/bin/view/Main/6106505 6106506 || [CISCO-SDEE] Trinoo Server Reply || url,wiki.quadrantsec.com/bin/view/Main/6106506 6106507 || [CISCO-SDEE] TFN2K Control Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106507 6106508 || [CISCO-SDEE] Mstream Control Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106508 6106509 || [CISCO-SDEE] Microsoft DXmedia SDK6 ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106509 6106510 || [CISCO-SDEE] GOM Player ActiveX Control Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106510 6106512 || [CISCO-SDEE] Macrovision FlexNet isusweb.dll DownloadAndExecute Method || url,wiki.quadrantsec.com/bin/view/Main/6106512 6106513 || [CISCO-SDEE] Macrovision FlexNet DownloadManager Insecure Methods || url,wiki.quadrantsec.com/bin/view/Main/6106513 6106515 || [CISCO-SDEE] Invalid SIP Response Code || url,wiki.quadrantsec.com/bin/view/Main/6106515 6106517 || [CISCO-SDEE] Malformed Via Header || url,wiki.quadrantsec.com/bin/view/Main/6106517 6106518 || [CISCO-SDEE] SIP Long Header Field || url,wiki.quadrantsec.com/bin/view/Main/6106518 6106520 || [CISCO-SDEE] Long SIP Message || url,wiki.quadrantsec.com/bin/view/Main/6106520 6106521 || [CISCO-SDEE] Call Manager Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106521 6106522 || [CISCO-SDEE] Failed HTTP Login HTTP 401 || url,wiki.quadrantsec.com/bin/view/Main/6106522 6106523 || [CISCO-SDEE] Non-Printable in SIP Header || url,wiki.quadrantsec.com/bin/view/Main/6106523 6106524 || [CISCO-SDEE] Yahoo! Assistant yNotifier.dll ActiveX Control Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106524 6106526 || [CISCO-SDEE] Lighttpd FastCGI Header Overrun || url,wiki.quadrantsec.com/bin/view/Main/6106526 6106527 || [CISCO-SDEE] Microsoft Publisher Invalid Memory Reference RCE || url,wiki.quadrantsec.com/bin/view/Main/6106527 6106528 || [CISCO-SDEE] Oracle Application Server 10G EmChartBeam Remote Directory Traversal || url,wiki.quadrantsec.com/bin/view/Main/6106528 6106530 || [CISCO-SDEE] SynCE Command Injection || url,wiki.quadrantsec.com/bin/view/Main/6106530 6106532 || [CISCO-SDEE] Perdition IMAP Proxy str_vwrite Format String || url,wiki.quadrantsec.com/bin/view/Main/6106532 6106533 || [CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Discovery Service || url,wiki.quadrantsec.com/bin/view/Main/6106533 6106534 || [CISCO-SDEE] Symantec Backup Exec ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106534 6106535 || [CISCO-SDEE] Facebook Photo Uploader ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106535 6106536 || [CISCO-SDEE] Aurigma ImageUploader ActiveX Control || url,wiki.quadrantsec.com/bin/view/Main/6106536 6106537 || [CISCO-SDEE] Kraken Botnet Traffic || url,wiki.quadrantsec.com/bin/view/Main/6106537 6106539 || [CISCO-SDEE] Microsoft Malware Protection Engine DoS || url,wiki.quadrantsec.com/bin/view/Main/6106539 6106540 || [CISCO-SDEE] CUCM Certificate Trust List Memory Consumption DOS || url,wiki.quadrantsec.com/bin/view/Main/6106540 6106541 || [CISCO-SDEE] Microsoft Project Malformed File Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106541 6106542 || [CISCO-SDEE] TFTPServer Error Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106542 6106543 || [CISCO-SDEE] CiscoWorks Common Services Arbitrary Code Injection || url,wiki.quadrantsec.com/bin/view/Main/6106543 6106544 || [CISCO-SDEE] ActiveX Object Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106544 6106545 || [CISCO-SDEE] WINS Local Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6106545 6106546 || [CISCO-SDEE] SNMPv3 Malformed Authentication Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106546 6106702 || [CISCO-SDEE] Microsoft SQL Server 7 TDS Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6106702 6106703 || [CISCO-SDEE] Snort SACK TCP Option Handling Denial of Service Details || url,wiki.quadrantsec.com/bin/view/Main/6106703 6106704 || [CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoofing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106704 6106705 || [CISCO-SDEE] Internet Explorer Drag And Drop Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106705 6106707 || [CISCO-SDEE] Microsoft Windows Remote Desktop Protocol DoS || url,wiki.quadrantsec.com/bin/view/Main/6106707 6106710 || [CISCO-SDEE] Macromedia Flash Player LoadMovie DoS || url,wiki.quadrantsec.com/bin/view/Main/6106710 6106711 || [CISCO-SDEE] Microsoft Internet Explorer Image Download Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6106711 6106712 || [CISCO-SDEE] Microsoft Internet Explorer Script Engine Stack Exhaustion || url,wiki.quadrantsec.com/bin/view/Main/6106712 6106717 || [CISCO-SDEE] Microsoft Internet Explorer Status Bar URL Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6106717 6106718 || [CISCO-SDEE] Multiple AV Vendor Invalid Archive Checksum || url,wiki.quadrantsec.com/bin/view/Main/6106718 6106719 || [CISCO-SDEE] MySQL COM_TABLE_DUMP Function Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106719 6106720 || [CISCO-SDEE] MySQL Login Handshake Information Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106720 6106721 || [CISCO-SDEE] OpenBSD ISAKMP Message Handling Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6106721 6106722 || [CISCO-SDEE] Oracle Application Server 10g emagent.exe Stack Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106722 6106723 || [CISCO-SDEE] Sun Directory Server LDAP Denial of Service Details || url,wiki.quadrantsec.com/bin/view/Main/6106723 6106727 || [CISCO-SDEE] Nullsoft Winamp Midi File Header Handling Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106727 6106728 || [CISCO-SDEE] Microsoft Windows GUID Folder Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106728 6106730 || [CISCO-SDEE] IBM Tivoli Storage Manager Express Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106730 6106731 || [CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Username Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106731 6106732 || [CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Password Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106732 6106733 || [CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Arbitrary File Upload || url,wiki.quadrantsec.com/bin/view/Main/6106733 6106734 || [CISCO-SDEE] CA ARCserve Backup LGServer Multiple Buffer Overflows || url,wiki.quadrantsec.com/bin/view/Main/6106734 6106735 || [CISCO-SDEE] Microsoft Internet Explorer HHCtrl.ocx Image Property Heap Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106735 6106736 || [CISCO-SDEE] Apple QuickTime FLIC Animation File Buffer Overflow Details || url,wiki.quadrantsec.com/bin/view/Main/6106736 6106737 || [CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Function Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106737 6106739 || [CISCO-SDEE] Novell GroupWise Messenger HTTP POST Request Invalid Memory Access || url,wiki.quadrantsec.com/bin/view/Main/6106739 6106740 || [CISCO-SDEE] Trend Micro OfficeScan Atxconsole ActiveX Control Format String || url,wiki.quadrantsec.com/bin/view/Main/6106740 6106741 || [CISCO-SDEE] Symantec Discovery XFERWAN Buffer overflow || url,wiki.quadrantsec.com/bin/view/Main/6106741 6106742 || [CISCO-SDEE] Microsoft PowerPoint Malformed Record Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106742 6106743 || [CISCO-SDEE] Novell ZENworks Asset Mangement Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106743 6106744 || [CISCO-SDEE] Mozilla FireFox DomNodeRemoved Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106744 6106755 || [CISCO-SDEE] Windows Remote Kernel TCPIP ICMP Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106755 6106757 || [CISCO-SDEE] Microsoft Internet Explorer Page Update Race Condition || url,wiki.quadrantsec.com/bin/view/Main/6106757 6106758 || [CISCO-SDEE] Microsoft Visio Version Number Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106758 6106759 || [CISCO-SDEE] Apple Safari Regular Expression Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106759 6106760 || [CISCO-SDEE] RealPlayer ActiveX Buffer overflow || url,wiki.quadrantsec.com/bin/view/Main/6106760 6106761 || [CISCO-SDEE] Cisco Unified Communications Manager CTL Provider Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106761 6106764 || [CISCO-SDEE] Cisco PIX and ASA Time-to-Live DoS || url,wiki.quadrantsec.com/bin/view/Main/6106764 6106765 || [CISCO-SDEE] Cisco Application Velocity System Default Passwords || url,wiki.quadrantsec.com/bin/view/Main/6106765 6106766 || [CISCO-SDEE] IE Security Zone Bypass and Address Spoofing || url,wiki.quadrantsec.com/bin/view/Main/6106766 6106767 || [CISCO-SDEE] Microsoft Windows RSH Daemon Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106767 6106768 || [CISCO-SDEE] Samba WINS Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106768 6106769 || [CISCO-SDEE] Netware LSASS CIFS.NLM Driver Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106769 6106770 || [CISCO-SDEE] OpenOffice PRTDATA Heap Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106770 6106771 || [CISCO-SDEE] Microsoft Windows WebDAV Mini Redirector || url,wiki.quadrantsec.com/bin/view/Main/6106771 6106773 || [CISCO-SDEE] WordPerfect X3 Printer Selection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106773 6106775 || [CISCO-SDEE] Microsoft Office Works Converter Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106775 6106776 || [CISCO-SDEE] Microsoft Works Converter Input Validation Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106776 6106777 || [CISCO-SDEE] Windows OLE Automation Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106777 6106778 || [CISCO-SDEE] Microsoft Works Converter Index Table Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106778 6106780 || [CISCO-SDEE] IE Argument Handling Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106780 6106781 || [CISCO-SDEE] SIP Proxy Response Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106781 6106782 || [CISCO-SDEE] SIP MIME Request Boundary Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106782 6106784 || [CISCO-SDEE] Adobe PDF Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106784 6106785 || [CISCO-SDEE] Microsoft Visual Basic VBP File Processing Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106785 6106786 || [CISCO-SDEE] Microsoft PowerPoint Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106786 6106787 || [CISCO-SDEE] Microsoft Office Cell Parsing Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106787 6106788 || [CISCO-SDEE] SonicWALL SSL VPN Client Remote ActiveX Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106788 6106789 || [CISCO-SDEE] Winamp Ultravox Stream Title Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106789 6106790 || [CISCO-SDEE] Outlook Web Access Privilege Escalation || url,wiki.quadrantsec.com/bin/view/Main/6106790 6106792 || [CISCO-SDEE] SQL Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106792 6106793 || [CISCO-SDEE] Microsoft Windows GDI Image Handling || url,wiki.quadrantsec.com/bin/view/Main/6106793 6106794 || [CISCO-SDEE] CA BrightStor ARCserve Backup Listservcntrl ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106794 6106795 || [CISCO-SDEE] Panda ActiveScan ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106795 6106798 || [CISCO-SDEE] HP StorageWorks Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106798 6106799 || [CISCO-SDEE] CUCM CTI DoS || url,wiki.quadrantsec.com/bin/view/Main/6106799 6106901 || [CISCO-SDEE] Net Flood ICMP Reply || url,wiki.quadrantsec.com/bin/view/Main/6106901 6106902 || [CISCO-SDEE] Net Flood ICMP Request || url,wiki.quadrantsec.com/bin/view/Main/6106902 6106903 || [CISCO-SDEE] Net Flood ICMP Any || url,wiki.quadrantsec.com/bin/view/Main/6106903 6106910 || [CISCO-SDEE] Net Flood UDP || url,wiki.quadrantsec.com/bin/view/Main/6106910 6106920 || [CISCO-SDEE] Net Flood TCP || url,wiki.quadrantsec.com/bin/view/Main/6106920 6106921 || [CISCO-SDEE] Microsoft Word Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106921 6106922 || [CISCO-SDEE] VBScript JScript Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106922 6106923 || [CISCO-SDEE] Word Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106923 6106924 || [CISCO-SDEE] MS Publisher Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106924 6106925 || [CISCO-SDEE] IE Property Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106925 6106926 || [CISCO-SDEE] Cisco IOS DLSw DoS || url,wiki.quadrantsec.com/bin/view/Main/6106926 6106928 || [CISCO-SDEE] Microsoft Outlook mailto URI Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106928 6106929 || [CISCO-SDEE] Microsoft Excel Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106929 6106930 || [CISCO-SDEE] Office Web Components URL Parsing Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106930 6106931 || [CISCO-SDEE] Virtual-Access Interface Exhaustion DoS || url,wiki.quadrantsec.com/bin/view/Main/6106931 6106932 || [CISCO-SDEE] HTML Objects Uninitialized Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106932 6106934 || [CISCO-SDEE] GDI Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106934 6106935 || [CISCO-SDEE] CVE-2008-1086 ActiveX Killbit Update || url,wiki.quadrantsec.com/bin/view/Main/6106935 6106936 || [CISCO-SDEE] UCM Disaster Recovery Framework Command Execution || url,wiki.quadrantsec.com/bin/view/Main/6106936 6106937 || [CISCO-SDEE] IE File Handling Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106937 6106938 || [CISCO-SDEE] Microsoft IE Argument Handling Memory Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106938 6106939 || [CISCO-SDEE] Microsoft Project Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106939 6106940 || [CISCO-SDEE] RealPlayer ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106940 6106942 || [CISCO-SDEE] Yahoo ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106942 6106944 || [CISCO-SDEE] CUPS CGI Compile Search Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106944 6106945 || [CISCO-SDEE] HP OpenView OVAS.EXE Stack Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106945 6106946 || [CISCO-SDEE] Web Client Remote Code Execution Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106946 6106951 || [CISCO-SDEE] Word Drawing Object Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106951 6106952 || [CISCO-SDEE] Word Cascading Style Sheet (CSS) Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106952 6106954 || [CISCO-SDEE] CUCM SIP Stack DoS || url,wiki.quadrantsec.com/bin/view/Main/6106954 6106959 || [CISCO-SDEE] Adobe Flash Null Pointer Dereference || url,wiki.quadrantsec.com/bin/view/Main/6106959 6106960 || [CISCO-SDEE] IE Response Cross-Domain Info Disclosure || url,wiki.quadrantsec.com/bin/view/Main/6106960 6106961 || [CISCO-SDEE] IE HTML Objects Memory Corruption || url,wiki.quadrantsec.com/bin/view/Main/6106961 6106962 || [CISCO-SDEE] Cisco Unity DOS || url,wiki.quadrantsec.com/bin/view/Main/6106962 6106963 || [CISCO-SDEE] MJPEG Decoder Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106963 6106964 || [CISCO-SDEE] Asprox Injection Attempt || url,wiki.quadrantsec.com/bin/view/Main/6106964 6106966 || [CISCO-SDEE] Malformed Search File Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106966 6106967 || [CISCO-SDEE] Microsoft SQL Server Privilege Elevation || url,wiki.quadrantsec.com/bin/view/Main/6106967 6106968 || [CISCO-SDEE] Microsoft Access Snapshot Viewer ActiveX Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106968 6106969 || [CISCO-SDEE] Microsoft Word Smart Tag Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106969 6106970 || [CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution || url,wiki.quadrantsec.com/bin/view/Main/6106970 6106971 || [CISCO-SDEE] Generic Exploit Component || url,wiki.quadrantsec.com/bin/view/Main/6106971 6106972 || [CISCO-SDEE] Rosoft Media Player Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106972 6106973 || [CISCO-SDEE] IOS FTPd MKD Command Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106973 6106974 || [CISCO-SDEE] Motorola Timbuktu Pro Arbitrary File Deletion/Creation || url,wiki.quadrantsec.com/bin/view/Main/6106974 6106975 || [CISCO-SDEE] Arbitrary File Upload In CA ARCserve || url,wiki.quadrantsec.com/bin/view/Main/6106975 6106976 || [CISCO-SDEE] Microsoft Powerpoint 2003 Viewer Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106976 6106977 || [CISCO-SDEE] Wonderware Suitlink Denial Of Service || url,wiki.quadrantsec.com/bin/view/Main/6106977 6106978 || [CISCO-SDEE] PowerPoint Parsing Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106978 6106979 || [CISCO-SDEE] BEA WebLogic Server Apache Connector HTTP Version String BO || url,wiki.quadrantsec.com/bin/view/Main/6106979 6106981 || [CISCO-SDEE] Microsoft PowerPoint Memory Allocation Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106981 6106983 || [CISCO-SDEE] Microsoft PICT Filter Parsing Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106983 6106984 || [CISCO-SDEE] Windows Image Color Management System RCE || url,wiki.quadrantsec.com/bin/view/Main/6106984 6106985 || [CISCO-SDEE] Microsoft Office WPG Image File Heap Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106985 6106986 || [CISCO-SDEE] Microsoft IE HTML Objects Memory Corruption Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106986 6106988 || [CISCO-SDEE] WebEx Meeting Manager ActiveX Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106988 6106989 || [CISCO-SDEE] IOSFW HTTP Inspection Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106989 6106990 || [CISCO-SDEE] Visual Studio Msmask32.ocx ActiveX Buffer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106990 6106991 || [CISCO-SDEE] Symantec Veritas Storage Foundation Null Session || url,wiki.quadrantsec.com/bin/view/Main/6106991 6106994 || [CISCO-SDEE] Cisco Secure ACS EAP Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106994 6106995 || [CISCO-SDEE] GDI EMF Memory Corruption Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106995 6106996 || [CISCO-SDEE] GDI+ BMP Integer Overflow || url,wiki.quadrantsec.com/bin/view/Main/6106996 6106997 || [CISCO-SDEE] OneNote Uniform Resource Locator Validation Error Vulnerability || url,wiki.quadrantsec.com/bin/view/Main/6106997 6106998 || [CISCO-SDEE] Microsoft GDI-Plus WMF Buffer Overrun Exploit || url,wiki.quadrantsec.com/bin/view/Main/6106998 6106999 || [CISCO-SDEE] Cisco PIM Multicast Denial of Service Attack || url,wiki.quadrantsec.com/bin/view/Main/6106999 6107000 || [CISCO-SDEE] Data Base TNS Connection || url,wiki.quadrantsec.com/bin/view/Main/6107000 6107001 || [CISCO-SDEE] TNS Redirect Request || url,wiki.quadrantsec.com/bin/view/Main/6107001 6107002 || [CISCO-SDEE] NBT NetBIOS Session Failed Login - Brute Force [5/3] || url,wiki.quadrantsec.com/bin/view/Main/6107002 rules/imapd-geoip.rules0000664000175000017500000001015212612177151014425 0ustar champchamp# Sagan imapd-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGIN, user=bob, ip=[192.168.8.1], port=[36938], protocol=IMAP alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Login from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "LOGIN,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002075; sid:5002075; rev: 1;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:12:53|imapd-ssl| LOGOUT, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=96, sent=470, time=0, starttls=1 alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Logout from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "LOGOUT,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002076; sid:5002076; rev: 1;) # 10.1.1.1|mail|info|info|16|2014-06-12|04:06:34|imapd-ssl| TIMEOUT, user=bob, ip=[192.168.8.1], headers=714, body=8944, rcvd=1050, sent=15577, time=2701, starttls=1 alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Timeout from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "TIMEOUT,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002077; sid:5002077; rev: 1;) # 10.1.1.1|mail|info|info|16|2014-06-11|23:53:51|imapd-ssl| DISCONNECTED, user=bob, ip=[192.168.8.1], headers=0, body=0, rcvd=357, sent=981, time=10511, starttls=1 alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Disconnect from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "DISCONNECTED,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002078; sid:5002078; rev: 1;) # 10.7.1.71|mail|debug|debug|17|2014-06-11|23:53:52|imapd-ssl| Connection, ip=[192.168.8.1] # alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-GEOIP] Connection from outside HOME_COUNTRY"; program: imapd|imapd-ssl; content: "Connection,"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002079; sid:5002079; rev: 1;) rules/fortinet.rules0000664000175000017500000005472512612177151014102 0ustar champchamp# Sagan fortinet.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These are mostly taken from Fortigate 4.0 Message reference manual. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Protect profile changed"; content: "32151 type="; content: "changed protection profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000898; sid: 5000898; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ICMP traffic disallowed"; content: "16003 type="; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000899; sid: 5000899; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login from LCD"; content: "32001 type="; content: "from LCD"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000900; sid: 5000900; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator Login"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000901; sid: 5000901; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login from LCD failed"; content: "32002 type="; content: "LCD failed"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000902; sid: 5000902; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failed"; content: "32002 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000903; sid: 5000903; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] To many bad admin login attempts"; content: "32002 type="; content: "bad attempts"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000904; sid: 5000904; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator logout"; content: "32003 type="; content: "action=logout"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000905; sid: 5000905; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] IPS error mode"; content: "32004 type="; content: "error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000906; sid: 5000906; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login failed [Brute Force] [5/5]"; content: "32005 type="; content: "login failed"; parse_src_ip: 1; classtype: attempted-admin; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000907; sid: 5000907; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Login accepted"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000908; sid: 5000908; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk full or almost full"; content: "32006 type="; content: "disk"; nocase; content: "log "; nocase; pcre: "/exceeds|full/"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000909; sid: 5000909; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has started"; content: "32006 type="; content: "Fortigate started"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000910; sid: 5000910; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has entered error mode"; content: "32006 type="; content: "entered error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000911; sid: 5000911; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Fortigate has left error mode"; content: "32006 type="; content: "out of error mode"; classtype: configuration-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000912; sid: 5000912; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator session timeout"; content: "32007 type="; content: "session timed out"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000913; sid: 5000913; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Abnormal Admin session drop"; content: "32007 type="; content: "terminates the sessions"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000914; sid: 5000914; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Normal administrator logout"; content: "32007 type="; pcre: "/logs out from|is diconnected by/"; parse_src_ip: 1; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000915; sid: 5000915; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator is clearing/deleting logs"; content: "32007 type="; pcre: "/has removed|has deleted|has cleared/"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000916; sid: 5000916; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cannot store config. Low flash space"; content: "32007 type="; content: "Cannot store config"; content: "flash space"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000917; sid: 5000917; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin has left current VDOM"; content: "32007 type="; content: "has left the virtual domain"; classtype: not-suspicious; reference: url,wiki.quadrantsec.com/bin/view/Main/5000918; sid: 5000918; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin login failure"; content: "32009 type="; content: "login failed from"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000919; sid: 5000919; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Disk logs usage have exceeded"; content: "32010 type="; pcre: "/Disk logs|error mode|Log disk|reason=disk-log-full/"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000920; sid: 5000920; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Memory usage has exceeded"; content: "32010 type="; content: "reason=memory-log-full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000921; sid: 5000921; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Reason unknown error"; content: "32010 type="; content: "reason=unknown"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000922; sid: 5000922; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Out of error mode"; content: "32012 type="; content: "out of error mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000923; sid: 5000923; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Administrator removed logs"; content: "32013 type="; pcre: "/cleared|deleted|removed/"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000924; sid: 5000924; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] License about to expired"; content: "32014 type="; content: "license will expire"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000925; sid: 5000925; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Log disk is full"; content: "32015 type="; content: "Log disk is"; content: "full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000926; sid: 5000926; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Corrupted MAC packet detected"; content: "32020 type="; content: "Corrupted MAC packet detected"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000927; sid: 5000927; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reboot or shutdown"; content: "32095 type="; pcre: "/action=reboot|action=shutdown/i"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000928; sid: 5000928; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action reload"; content: "32095 type="; content: "action=reload"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000929; sid: 5000929; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Action factory_reset"; content: "32095 type="; content: "action=factory_reset"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000930; sid: 5000930; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New access profile added"; content: "32101 type="; content: "added new access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000931; sid: 5000931; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Configuration change"; content: "32102 type="; content: "made a change"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000932; sid: 5000932; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile changed"; content: "32102 type="; content: "setting of access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000933; sid: 5000933; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Access profile deleted"; content: "32103 type="; content: "deleted an access profile"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000934; sid: 5000934; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New admin user added"; content: "32120 type="; content: "added an admin user"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000935; sid: 5000935; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] New user group added"; content: "32120 type="; content: "added an user group"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000936; sid: 5000936; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin changed another admin's password"; content: "32150 type="; content: "changed password of admin"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000971; sid: 5000971; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Flash memory is full!"; content: "20031 type="; content: "flash memory is full"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000937; sid: 5000937; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication success"; content: "38001 type="; content: "succeeded in authentication"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000938; sid: 5000938; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38001 type="; content: "failed in authentication"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000939; sid: 5000939; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Admin authentication failure"; content: "38002 type="; pcre: "/failed to authenticate|failed in authentication/i"; parse_src_ip: 1; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000940; sid: 5000940; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Failed authentication to many times"; content: "38003 type="; content: "failed authentication to many times"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000941; sid: 5000941; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis fan anomaly"; content: "99503 type="; content: "Chassis fan anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000942; sid: 5000942; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis temperature anomaly"; content: "99504 type="; content: "Chassis temperature anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000943; sid: 5000943; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Chassis voltage anomaly"; content: "99505 type="; content: "Chassis voltage anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000944; sid: 5000944; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade fan anomaly"; content: "99506 type="; content: "Blade fan anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000945; sid: 5000945; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade temperature anomaly"; content: "99507 type="; content: "Blade temperature anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000946; sid: 5000946; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Blade voltage anomaly"; content: "99508 type="; content: "Blade voltage anomaly"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000947; sid: 5000947; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication success"; content: "29002 type="; content: "action=auth_success"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000948; sid: 5000948; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Authentication failed"; content: "29003 type="; content: "action=auth_failed"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000949; sid: 5000949; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Max connection reached"; content: "29004 type="; content: "No more clients can connect"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000950; sid: 5000950; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] L2TP/PPTP/PPPoE Not enough memory"; content: "29024 type="; content: "not enough memory"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000951; sid: 5000951; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Data Leack Prevention Rule Matched"; content: "11000 type="; content: "Data Leak Prevention Rule matched"; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000952; sid: 5000952; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant messaging message"; content: "11600 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000953; sid: 5000953; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message file tranfer message"; content: "116001 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000954; sid: 5000954; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message chat message"; content: "116002 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000955; sid: 5000955; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Control instant message SIP session blocked message"; content: "116003 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000956; sid: 5000956; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Application control instant message message"; content: "116010 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000957; sid: 5000957; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] An application control VoIP-SIP session blocked message"; content: "116011 type="; content: "kind="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000958; sid: 5000958; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] E-mail of an infected file"; content: "60000 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000959; sid: 5000959; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File blocked via e-mail"; content: "63000 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000960; sid: 5000960; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] File intercepted via e-mail"; content: "63002 type="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000961; sid: 5000961; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [1]"; content: "70000 type="; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000962; sid: 5000962; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Attack signature matched [see content] [2]"; content: "73001 type="; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000963; sid: 5000963; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Banned word was found"; content: "90000 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000964; sid: 5000964; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Cookie was removed"; content: "91000 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000965; sid: 5000965; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Java applet was removed"; content: "91005 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000966; sid: 5000966; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] ActiveX script was removed"; content: "91010 type="; classtype: web-application-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5000967; sid: 5000967; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL was in blacklist"; content: "93002 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000968; sid: 5000968; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] URL belongs to a denied category"; content: "99501 type="; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000969; sid: 5000969; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] calloc failed"; content: "93007 type="; content: "calloc"; content: "failed"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000970; sid: 5000970; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] FTP attempt"; content: "80000 type="; content: "user="; content: "group="; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000972; sid: 5000972; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Entered system conserve mode!"; content: "22802 type="; content: "entered system conserve mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000973; sid: 5000973; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Leaving system conserve mode"; content: "22803 type="; content: "exited system conserve mode"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000974; sid: 5000974; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] General CRITICAL event"; content: "devname="; content: "pri=critical"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000975; sid: 5000975; rev:1;) # 01/04/2013 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] Botnet traffic detected"; content: "app_list=|22|BotnetOnly|22| app_type=|22|Botnet|22|"; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001627; sid: 5001627; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET] SSH traffic detected"; content: " service=SSH "; classtype: trojan-activity; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5001970; sid: 5001970; rev:1;) rules/openssh-aetas.rules0000664000175000017500000000630512612177151015011 0ustar champchamp# Sagan openssh-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via password at suspicious time"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002049; normalize: openssh; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002049; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via publickey at suspicious time"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002050; normalize: openssh; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002050; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-AETAS] Authentication success via keyboard at suspicious time"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002051; normalize: openssh; program: sshd; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002051; rev:2;) rules/fatpipe-aetas.rules0000664000175000017500000000517712612177151014770 0ustar champchamp# Sagan fatpipe-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-AETAS] Login Success at suspicious time"; content: "Login|3a| Success"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002041; sid: 5002041; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-AETAS] Login Success - ADMINISTRATOR - at supicious time"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002042; sid: 5002042; rev:1;) rules/pptp.rules0000664000175000017500000000445312612177151013224 0ustar champchamp# Sagan pptp.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $PPTP_PORT (msg:"[PPTP] Failed message [communications error]"; pcre: "/GRE: \S+ from \S+ failed: status = -1/"; classtype: network-event; program: pptpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000134; sid: 5000134; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $PPTP_PORT (msg:"[PPTP] Connection established"; content: "control connection started"; classtype: successful-user; program: pptpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000135; sid:5000135; rev:2;) rules/vsftpd.rules0000664000175000017500000000703312612177151013544 0ustar champchamp# Sagan vsftpd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Session opened"; content: "CONNECT"; classtype: not-suspicious; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000194; sid: 5000194; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Authentication successful"; content: "OK LOGIN"; classtype: successful-user; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000195; sid: 5000195; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Login failed - Brute force [5/5]"; content: "FAIL LOGIN"; classtype: unsuccessful-user; program: vsftpd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000196; sid: 5000196; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] Login failed"; content: "FAIL LOGIN"; classtype: unsuccessful-user; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001530; sid: 5001530; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD] File uploaded"; content: "OK UPLOAD"; classtype: not-suspicious; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000197; sid: 5000197; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[FTPD] User logged into an disabled account"; content: "OK LOGIN"; pcre: "/ apache | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000415; program: sshd; sid: 5000415; rev:3;) rules/cisco-prime.rules0000664000175000017500000010463512612177151014456 0ustar champchamp# Sagan cisco-prime.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Champ Clark (08/28/2014) # # These rules look for "eventType={type}("; For example, "eventType=AP_BIG_NAV_DOS_ATTACK(". # We actually trigger on the items between the = and (. # AP_BIG_NAV_DOS_ATTACK # The AP ''{0}'' with protocol ''{1}'' receives a message with a large NAV field and all traffic on the channel is suspended. This is most likely a malicious denial of service attack. # The system detected a possible denial of service attack and suspended all traffic to the affected channel. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] BIG NAV DOS Attack"; program: snmptrapd; content: "=AP_BIG_NAV_DOS_ATTACK|28|"; classtype: attempted-dos; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002122; sid:5002122; rev:1;) # AP_CONTAINED_AS_ROGUE # AP ''{0}'' is being contained. This is due to rogue device spoofing or targeting AP ''{0}'' BSSID on ''{1}'' radio. # An access point is reporting that it is being contained as a rogue. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detect and contained"; program: snmptrapd; content: "=AP_CONTAINED_AS_ROGUE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002123; sid:5002123; rev:1;) # AP_MAX_ROGUE_COUNT_EXCEEDED # AP ''{0}'' is being contained. This is due to rogue device spoofing or targeting AP ''{0}'' BSSID on ''{1}'' radio. # The number of rogues detected by a switch (controller) exceeds the internal threshold. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP detected exceed theshold"; program: snmptrapd; content: "=AP_MAX_ROGUE_COUNT_EXCEEDED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002124; sid:5002124; rev:1;) # AUTHENTICATION_FAILURE # Switch ''{0}''. Authentication failure reported. # There was an SNMP authentication failure on the switch (controller). alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SNMP Authentication failure"; program: snmptrapd; content: "=AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002125; sid:5002125; rev:1;) # BSN_AUTHENTICATION_FAILURE # Switch ''{0}." User authentication from Switch ''{0}'' failed for username ''{1}'' and user type ''{2}." # A user authentication failure is reported for a local management user or a MAC filter is configured on the controller. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Authentication failure by local management user/MAC "; program: snmptrapd; content: "=BSN_AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002126; sid:5002126; rev:1;) # ROGUE_AP_DETECTED # Rogue AP or ad hoc rogue ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}." # The system has detected a rogue access point. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP or ADHOC detected"; program: snmptrapd; content: "=ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002127; sid:5002127; rev:1;) # ROGUE_AP_ON_NETWORK # Rogue AP or ad hoc rogue ''{0}'' is on the wired network. # A rogue access point is found reachable through the wired network. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP on the network!"; program: snmptrapd; content: "=ROGUE_AP_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002128; sid:5002128; rev:1;) # ROGUE_AP_REMOVED # Rogue AP or ad hoc rogue ''{0}'' is removed; it was detected as Rogue AP by AP ''{1}'' Radio type ''{2}.'' # The system is no longer detecting a rogue access point. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP has been removed"; program: snmptrapd; content: "=ROGUE_AP_REMOVED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002129; sid:5002129; rev:1;) # SENSED_TEMPERATURE_HIGH # The sensed temperature on the Switch ''{0}'' is too high. The current sensed temperature is ''{1}.'' # The internal temperature of the system has crossed the configured thresholds. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal high temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_HIGH|28|"; classtype: hardware-event; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002130; sid:5002130; rev:1;) # SENSED_TEMPERATURE_LOW # The sensed temperature on the Switch ''{0}'' is too low. The current sensed temperature is ''{1}.'' # The internal temperature of the device is below the configured limit in the system. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Internal low temperature detected!"; program: snmptrapd; content: "=SENSED_TEMPERATURE_LOW|28|"; classtype: hardware-event; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002131; sid:5002131; rev:1;) # STATION_AUTHENTICATION_FAIL # Client ''{0}'' has failed authenticating with AP ''{1},'' interface ''{2}.'' The reason code is ''{3}.'' # The system failed to authenticate a client. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station authentication failure"; program: snmptrapd; content: "=STATION_AUTHENTICATION_FAIL|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002132; sid:5002132; rev:1;) # STATION_ASSOCIATE_FAIL # Client ''{0}'' failed to associate with AP ''{1},'' interface ''{2}.'' The reason code is ''{3}.'' # A client station failed to associate with the system. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station association failure"; program: snmptrapd; content: "=STATION_ASSOCIATE_FAIL|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002133; sid:5002133; rev:1;) # STATION_BLACKLISTED # Client ''{0}'' which was associated with AP ''{1},'' interface ''{2}'' is excluded. The reason code is ''{3}.'' # A client is in the exclusion list and is not allowed to authenticate for a configured interval. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Station blacklisted"; program: snmptrapd; content: "=STATION_BLACKLISTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002134; sid:5002134; rev:1;) # SWITCH_DETECTED_DUPLICATE_IP # Switch ''{0}'' detected duplicate IP address ''{0}'' being used by machine with mac address ''{1}.'' # The system has detected a duplicate IP address in the network that is assigned to the switch (controller). alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Duplicate IP address assigned to controller"; program: snmptrapd; content: "=SWITCH_DETECTED_DUPLICATE_IP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002135; sid:5002135; rev:1;) # TOO_MANY_USER_UNSUCCESSFUL_LOGINS # User ''{1}'' with IP Address ''{0}'' has made too many unsuccessful login attempts. # A management user has made too many login attempts. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Possible brute force from management user!"; program: snmptrapd; content: "=TOO_MANY_USER_UNSUCCESSFUL_LOGINS|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002136; sid:5002136; rev:1;) # ADHOC_ROGUE_AUTO_CONTAINED # Adhoc Rogue ''{0}'' was found and is auto contained as per WPS policy. # An ad hoc rogue that the system has detected earlier is now clear. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC contained"; program: snmptrapd; content: "=ADHOC_ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002137; sid:5002137; rev:1;) # ROGUE_AP_AUTO_CONTAINED # Rogue AP ''{0}'' is advertising our SSID and is auto contained as per WPS policy. # The system has automatically contained a rogue access point. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP auto contained"; program: snmptrapd; content: "=ROGUE_AP_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002138; sid:5002138; rev:1;) # TRUSTED_AP_INVALID_ENCRYPTION # Trusted AP ''{0}'' is invalid encryption. It is using ''{1}'' instead of ''{2}." It is auto contained as per WPS policy. # The system automatically contained a trusted access point that has invalid encryption. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid encryption"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_ENCRYPTION|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002140; sid:5002140; rev:1;) # TRUSTED_AP_INVALID_RADIO_POLICY # Trusted AP ''{0}'' has invalid radio policy. It is using ''{1}'' instead of ''{2}." It has been auto contained as per WPS policy. # The system has contained a trusted access point with an invalid radio policy. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid radio policy"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_RADIO_POLICY|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002141; sid:5002141; rev:1;) # TRUSTED_AP_INVALID_SSID # Trusted AP ''{0}'' has invalid SSID. It was auto contained as per WPS policy. # The system has automatically contained a trusted access point for advertising an invalid SSID. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP has invalid SSID"; program: snmptrapd; content: "=TRUSTED_AP_INVALID_SSID|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002142; sid:5002142; rev:1;) # TRUSTED_AP_MISSING # Trusted AP ''{0}'' is missing or has failed. # The wireless system no longer detects a trusted access point. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Trusted AP missing"; program: snmptrapd; content: "=TRUSTED_AP_MISSING|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002143; sid:5002143; rev:1;) # AP_IMPERSONATION_DETECTED # AP Impersonation with MAC ''{0}'' is detected by authenticated AP ''{1}'' on ''{2}'' radio and Slot ID ''{3}.'' # A radio of an authenticated access point has heard from another access point whose MAC address neither matches that of a rogue nor is it an authenticated neighbor of the detecting access point. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] AP impersionation detected!"; program: snmptrapd; content: "=AP_IMPERSONATION_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002144; sid:5002144; rev:1;) # SIGNATURE_ATTACK_DETECTED # IDS Signature attack detected on Switch ''{0}." The Signature Type is ''{1}," Signature Name is ''{2},'' and Signature description is ''{3}." # The switch (controller) is detecting a signature attack. The switch (controller) has a list of signatures that it monitors. When it detects a signature, it provides the name of the signature attack in the alert it generates. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002145; sid:5002145; rev:1;) # AP_AUTHORIZATION_FAILURE # * Failed to authorize AP "{0}." Authorization entry does not exist in Controllers "{1}" AP Authorization List. # * Failed to authorize AP "{0}." The authorization key of the AP does not match with SHA1 key in Controllers "{1}" AP Authorization List. # * Failed to authorize AP "{0}." Controller "{1}" could not verify the Self Signed Certificate from the AP. # * Failed to authorize AP "{0}." AP has a self signed certificate where as the Controllers "{1}" AP authorization list has Manufactured Installed Certificate for this AP. # An alert is generated when an access point fails to associate with a controller due to authorization issues. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIDS / Signature attack detected!"; program: snmptrapd; content: "=SIGNATURE_ATTACK_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002146; sid:5002146; rev:1;) # CISCO_LWAPP_MESH_CONSOLE_LOGIN # Console login successful or failed. # The console port provides the ability for the customer to change the username and password to recover the stranded outdoor access point. To prevent any unauthorized user access to the access point, the NCS sends an alarm when someone tries to log in. This alarm is required to provide protection because the access point is physically vulnerable being located outdoors. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH Console login"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_CONSOLE_LOGIN|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002147; sid:5002147; rev:1;) # CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE # Fails to authenticate with controller. # The NCS receives a trap from the controller. The trap contains the MAC addresses of those access points that failed authorization. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authorization failure"; program: snmptrapd; content: "=CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002148; sid:5002148; rev:1;) # IDS_SHUN_CLIENT_TRAP # The Cisco Intrusion Detection System "{0}" has detected a possible intrusion attack by the wireless client "{1}." # This trap is generated in response to a shun client clear alert originated from a Cisco IDS/IPs appliance ("{0}") installed in the data path between the wireless client ("{1}") and the intranet of the site. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Shun client alert from IDS/IPS appliance!"; program: snmptrapd; content: "=IDS_SHUN_CLIENT_TRAP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002149; sid:5002149; rev:1;) # MFP_ANOMALY_DETECTED_TRAP # MFP configuration of the WLAN was violated by the radio interface "{0}" and detected by the radio interface "{1}" of the access point with MAC address "{2}." The violation is "{3}." # This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the access point cLApSysMacAddress. This violation is indicated by cLMfpEventType. When observing the management frame(s) given by cLMfpEventFrames for the last cLMfpEventPeriod time units, the controller reports the occurrence of a total of cLMfpEventTotal violation events of type cLMfpEventType. When the cLMfpEventTotal is 0, no further anomalies have recently been detected, and the NMS should clear any alarm raised about the MFP errors. Note This notification is generated by the controller only if MFP was configured as the protection mechanism through cLMfpProtectType. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MFP anomaly detected"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002150; sid:5002150; rev:1;) # MESH_AUTHORIZATIONFAILURE # MESH "{0}" fails to authenticate with controller because "{1}". # A mesh access point failed to join the mesh network because its MAC address is not listed in the MAC filter list. The alarm includes the MAC address of the mesh access point that failed to join. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] MESH authentication failure"; program: snmptrapd; content: "=MFP_ANOMALY_DETECTED_TRAP|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002151; sid:5002151; rev:1;) # GUEST_USER_ADDED # Guest user "{0}" created on the controller "{1}." # This notification is sent by the agent when the GuestUser account is created successfully. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user created on controller"; program: snmptrapd; content: "=GUEST_USER_ADDED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002152; sid:5002152; rev:1;) # GUEST_USER_AUTHENTICATED # Guest user "{1}" logged into controller "{0}." # This notification is sent by the agent when the GuestUser logged into the network through webauth successfully. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user authenticated"; program: snmptrapd; content: "=GUEST_USER_AUTHENTICATED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002153; sid:5002153; rev:1;) # GUEST_USER_LOGOFF # Guest user "{1}" logged out from the controller "{0}." # This notification is sent by the agent when a GuestUser who was previously logged into the network logs out. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] GUEST user logoff"; program: snmptrapd; content: "=GUEST_USER_LOGOFF|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002154; sid:5002154; rev:1;) # SI_SECURITY_TRAPS # Raised when Interferer marked as a security threat is detected by the network. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] SI Security trap raised!"; program: snmptrapd; content: "=SI_SECURITY_TRAPS|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002155; sid:5002155; rev:1;) # FAN_MONITOR # Cooling fan failure [ applies to MSE-3355 only]. One of the CPU cooling fans on $HOST [$IP] has failed. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Cooling fan failure [MSE-3355]"; program: snmptrapd; content: "=FAN_MONITOR|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002156; sid:5002156; rev:1;) # FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Friendly". # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected on network"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002157; sid:5002157; rev:1;) # FRIENDLY_ROGUE_AP_DETECTED # A rogue access point was detected by the system with classification "Friendly". # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Friendly rogue AP detected"; program: snmptrapd; content: "=FRIENDLY_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002158; sid:5002158; rev:1;) # UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002159; sid:5002159; rev:1;) # UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected on network contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002160; sid:5002160; rev:1;) # UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected contained"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002161; sid:5002161; rev:1;) # UNCLASSIFIED_ROGUE_AP_DETECTED # A rogue access point was detected on network by the system with classification "Unclassified" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Unclassified rogue AP detected"; program: snmptrapd; content: "=UNCLASSIFIED_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002162; sid:5002162; rev:1;) # MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002163; sid:5002163; rev:1;) # MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected on the network contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002164; sid:5002164; rev:1;) # MALICIOUS_ROGUE_AP_DETECTED_CONTAINED # Malicious Rogue AP detected as contained. # A rogue access point was detected on network by the system with classification "Malicious" in contained state. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP detected contained"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002165; sid:5002165; rev:1;) # MALICIOUS_ROGUE_AP_DETECTED # A rogue access point was detected on network by the system with classification "Malicious" in contained state. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Malicious rogue AP"; program: snmptrapd; content: "=MALICIOUS_ROGUE_AP_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002166; sid:5002166; rev:1;) # ROGUE_ADHOC_DETECTED_ON_NETWORK # Adhoc Rogue detected on network. # Rogue AP ''{0}'' is on wired network. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002167; sid:5002167; rev:1;) # ROGUE_ADHOC_DETECTED_CONTAINED # Adhoc Rogue detected contained. # Rogue AP contained. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue ADHOC detected on network contained"; program: snmptrapd; content: "=ROGUE_ADHOC_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002168; sid:5002168; rev:1;) # ROGUE_AP_STATE_CHANGE # Rogue detected. # Rogue AP marked as {0} AP. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue AP state change"; program: snmptrapd; content: "=ROGUE_AP_STATE_CHANGE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002170; sid:5002170; rev:1;) # ROGUE_DETECTED # Rogue detected. # Rogue AP ''{0}'' with SSID ''{3}'' and channel number ''{4}'' is detected by AP ''{1}'' Radio type ''{2}'' with RSSI ''{5}'' and SNR ''{6}''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected"; program: snmptrapd; content: "=ROGUE_DETECTED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002171; sid:5002171; rev:1;) # ROGUE_DETECTED_CONTAINED # Rogue detected contained. # Adhoc Rogue contained. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected contained"; program: snmptrapd; content: "=ROGUE_DETECTED_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002172; sid:5002172; rev:1;) # ROGUE_DETECTED_ON_NETWORK # Rogue detected on network. # None alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue detected on network"; program: snmptrapd; content: "=ROGUE_DETECTED_ON_NETWORK|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002173; sid:5002173; rev:1;) # ROGUE_AUTO_CONTAINED # Rogue auto contained. # Rogue AP ''{0}'' on Controller ''{1}'' was advertising our SSID and has been auto contained as per WPS policy. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] Rogue auto contained"; program: snmptrapd; content: "=ROGUE_AUTO_CONTAINED|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002174; sid:5002174; rev:1;) # USER_AUTHENTICATION_FAILURE # User Authentication Failure. # ''%s'' ''%s'' failed authentication on Controller ''%s''. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] User authentication failure"; program: snmptrapd; content: "=USER_AUTHENTICATION_FAILURE|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002175; sid:5002175; rev:1;) # WIPS_TRAPS # Dynamically generated per alarm. # See the wIPS alarm encyclopedia under NCS > Configuration > wIPS Profiles. # READ ME: This could be split out more. Cisco documentation has the "alarm names", but lacks SNMP Trap examples. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PRIME] WIPS Event!"; program: snmptrapd; content: "=WIPS_TRAPS|28|"; classtype: suspicious-traffic; reference: url,http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/event.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002176; rev:1;) rules/digitalpersona.rules0000664000175000017500000003004412612177151015241 0ustar champchamp# Sagan digitalpersona.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Digitalpersona two factor (finger print) authentication systems. # Champ Clark III - 07/30/2012 # DigitalPersona_Pro: 1025: NT AUTHORITY\SYSTEM: User name: bob Domain: MASTER Credentials verified for logon: Password: No Fingerprint: Yes Smartcard: No Fingerprint PIN: No # ^^ Logins need normalization alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User login"; content: " 1024: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001435; sid: 5001435; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] OTS Started"; content: " 1281: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001436; sid: 5001436; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Fingerprint reader connected"; content: " 1793: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001437; sid: 5001437; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Fingerprint reader disconnected"; content: " 1794: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001438; sid: 5001438; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] One-to-one fingerprint match failed [5/5]"; content: " 2049: "; classtype: unsuccessful-user; program: DigitalPersona_Pro; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001439; sid: 5001439; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] System unlocked"; content: " 1031: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001440; sid: 5001440; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk Login"; content: " 1026: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001441; sid: 5001441; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Logoff"; content: " 1027: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001442; sid: 5001442; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk Logoff"; content: " 1028: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001443; sid: 5001443; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] System locked"; content: " 1029: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001444; sid: 5001444; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk locked"; content: " 1030: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001445; sid: 5001445; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] System unlocked"; content: " 1031: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001446; sid: 5001446; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk unlocked"; content: " 1032: "; classtype: successful-user; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001447; sid: 5001447; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Registered PIN"; content: " 1033: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001448; sid: 5001448; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Changed PIN"; content: " 1034: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001449; sid: 5001449; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] FP used to unlocked smart card"; content: " 1035: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001450; sid: 5001450; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Shared account problem"; content: " 1036: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001451; sid: 5001451; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Shared account missing"; content: " 1037: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001452; sid: 5001452; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] OTS Stopped"; content: " 1281: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001453; sid: 5001453; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Agent cannot start"; content: " 1283: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001454; sid: 5001454; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Password changed canceled by user"; content: " 1285: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001455; sid: 5001455; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Inital fillin was preformed"; content: " 1288: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001456; sid: 5001456; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Fillin was preformed"; content: " 1289: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001457; sid: 5001457; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Account data could not be modified"; content: " 1290: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001458; sid: 5001458; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Account data successfully modified"; content: " 1291: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001459; sid: 5001459; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] CRC check failure"; content: " 1292: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001460; sid: 5001460; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User added to Kiosk ID list"; content: " 1537: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001461; sid: 5001461; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User deleted to Kiosk ID list"; content: " 1538: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001462; sid: 5001462; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] User pushed out of the User ID list"; content: " 1539: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001463; sid: 5001463; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk ID list created"; content: " 1540: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001464; sid: 5001464; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Kiosk ID list deleted"; content: " 1541: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001465; sid: 5001465; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] DPHost started"; content: " 1795: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001466; sid: 5001466; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] DPHost cannot started"; content: " 1797: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001467; sid: 5001467; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Connection to server succeeded"; content: " 1798: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001468; sid: 5001468; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Connection to server failed"; content: " 1799: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001469; sid: 5001469; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Server busy"; content: " 1800: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001470; sid: 5001470; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] One-to-many matched failed"; content: " 2050: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001471; sid: 5001471; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] Account locked out"; content: " 2051: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001472; sid: 5001472; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] License quota exceeded"; content: " 4097: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001473; sid: 5001473; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIGITALPERSONA] License quota near limit"; content: " 4098: "; classtype: system-event; program: DigitalPersona_Pro; reference: url,wiki.quadrantsec.com/bin/view/Main/5001474; sid: 5001474; rev:1;) rules/cisco-acs.rules0000664000175000017500000001156312612177151014105 0ustar champchamp# Sagan cisco-acs.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # cisco-acs.rules (Access Countrol System) # 10.1.1.1|local6|notice|notice|b5|2013-03-14|06:55:44|CSCOacs_Failed_Attempts| 0016626111 1 0 2013-03-14 06:55:44.141 -08:00 0155632123 5401 NOTICE Failed-Attempt: Authentication failed, ACSVersion=acs-5.3.0.40-B.839, ConfigVersionId=294, Device IP Address=10.2.2.2, Device Port=41673, UserName=someusername, Protocol=Tacacs, RequestLatency=4, NetworkDeviceName=somedevicename, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=someusername, Port=tty514, Remote-Address=10.3.3.3, UserName=someusername, AcsSessionID=somedevicename/124343839/16642276, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=SOMESERVICE InternalDevice Admin, SelectedShellProfile=DenyAccess, IdentityGroup=IdentityGroup:All Groups:Network Operations, FailureReason=13036 , Step=13013 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 , Step=15006 , Step=15013 , Step=24430 , Step=24412 , Step=24210 , # We look for "UserName=" because "CSCOacs_Failed_Attempts" can generate # several types of messages. We're only interested in failures with good # information. parse_src_ip: 3 because the ACSVersion gets parsed as a # IP address. - Champ Clark (03/14/2013). # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt"; program: CSCOacs_Failed_Attempts; content: "UserName="; parse_src_ip: 3; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001655; sid: 5001655; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [5/5]"; program: CSCOacs_Failed_Attempts; content: "UserName="; content:!"session timed out"; parse_src_ip: 3; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001656; sid: 5001656; rev:5;) # 10.10.10.10|auth|info|info|26|2014-02-20|16:23:54|CisACS_02_FailedAuth| 79fa6rs6 1 0 Message-Type=Authen failed,User-Name=champtest,NAS-IP-Address=172.16.1.1,Authen-Failure-Code=ACS user unknown,Caller-ID=10.10.10.10,NAS-Port=58634240,Group-Name=Default Group, # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt [CisACS]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001975; sid: 5001975; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [CisACS] [5/5]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001976; sid: 5001976; rev:2;) rules/windows-aetas.rules0000664000175000017500000000553612612177151015031 0ustar champchamp# Sagan windows-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon at suspicious time"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: Security*; parse_src_ip: 1; parse_port; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002055; sid: 5002055; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 at suspicious time"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: Security*; parse_src_ip: 1; days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002056; sid: 5002056; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials at suspicious time"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: Security*; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002057; sid: 5002057; rev:3;) rules/fatpipe-geoip.rules0000664000175000017500000000521412612177151014766 0ustar champchamp# Sagan fatpipe-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-GEOIP] Login Success from outside HOME_COUNTRY"; content: "Login|3a| Success"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001959; sid: 5001959; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-GEOIP] Login Success - ADMINISTRATOR - from outside HOME_COUNTRY"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001960; sid: 5001960; rev:2;) rules/oracle.rules0000664000175000017500000000532212612177151013502 0ustar champchamp# Sagan oracle.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # 34: Audit trail: LENGTH: "351" SESSIONID:[9] "269111111" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[8] "XXXXXXX" USERHOST:[17] "XXXX\XXXX-XXXXX" TERMINAL:[12] "XXXX-XXXXXXX" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=XX.XX.XX.XX)(PORT=XXXXX))" OS$USERID:[3] "Bob" DBID:[10] "4004821111" . # 34: Audit trail: LENGTH: "358" SESSIONID:[9] "269811111" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[14] "XXXXXXXXZZZZZZ" USERHOST:[17] "XXXX\XXXX-XXXXXX" TERMINAL:[12] "XXXXX-XXXXXX" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[100] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=XX.XX.XX.XX)(PORT=XXXXXX))" OS$USERID:[3] "Bob" DBID:[10] "4004827967" . alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg: "[ORACLE] Authentication Failure"; content: "RETURNCODE|3a|[4] |22|1017|22|"; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001717; sid: 5001717; rev: 2;) rules/vmware-correlated.rules0000664000175000017500000000552112612177151015661 0ustar champchamp# Sagan vmware-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; pcre: "/Accepted password for|login from/i"; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: vmware-hostd|vmware-authd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002384; sid:5002384; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; content: " logged in "; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: Hostd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002385; sid:5002385; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE-CORRELATED] User login successful after suspicious activity"; content: "Accepted password"; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: Hostd; normalize: vmware; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002386; sid:5002386; rev:1;) rules/windows-owa-bluedot.rules0000664000175000017500000000413012612177151016143 0ustar champchamp# Sagan windows-owa-bluedot.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-BLUEDOT] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; bluedot: reputation, by_src, $BLUEDOT_NETWORK; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002352; sid:5002352; rev:1;) rules/windows-malware.rules0000664000175000017500000001536112612177151015361 0ustar champchamp# Sagan windows-malware.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16464"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001735; sid: 5001735; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16465"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001736; sid: 5001736; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16470"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001737; sid: 5001737; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] ZeroAccess Malware Detected [5/5]"; content: "16471"; pcre: "/ 861: | 5154: | 5155: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001738; sid: 5001738; rev:5;) alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Black POS Malware Detected [5/5]"; pcre: "/ 4657: | 567: | 4688: | 592: /"; content: "POSWDS"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001951; sid: 5001951; rev:4;) #************************************************************* # These rules are base upon research by Russ Anthony. More # information can be found in his white paper at: # # https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262 #************************************************************* alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] System protection disabled"; pcre: "/ 7034: | 7035: | 7046: | 7040: | 4689: | 593: /" ; pcre: "/Defender/Anti-Virus/antivirus/i"; content: "stop control"; flowbits: isnotset,by_src,reboot.windows; program: Service_Control_Manager; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002011; sid: 5002011; rev:6;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious misspelled process"; pcre: "/ 4688: | 592: /"; pcre: "/(scvhost|svcdost|scvdost|iexplorer)\.exe/i"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001999; sid: 5001999; rev:2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Lower case drive letter used in process"; pcre: "/ 4688: | 592: /"; pcre: "/File Name: (c|d|e)\x3a/"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002000; sid: 5002000; rev:2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for svchost.exe"; pcre: "/ 4688: | 592: /"; content: "\svchost.exe"; content:!"C|3a|\WINDOWS\System32\svchost.exe"; nocase; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002001; sid: 5002001; rev:2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Incorrect path called for explorer.exe"; pcre: "/ 4688: | 592: /"; content: "\explorer.exe"; content:!"C|3a|\WINDOWS\explorer.exe"; nocase; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002002; sid: 5002002; rev:2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious application crash"; content: " 4097|3a| "; pcre: "/Adobe|Microsoft Office|Java|wmplayer/"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002003; sid: 5002003; rev:3;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Suspicious Tool Event"; pcre: "/ 4688: | 592: /"; pcre: "/win32dd.exe|win64dd.exe|cachedump|fgdump|gsecdump|lslsass|mimikatz|pwdump7|pwdumpx|pwdump|wce.exe|getlsasrvaddr|iam.exe|iam-alt|whosthere.exe|whosthere-alt|genhash/i"; program: Security*; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002006; sid: 5002006; rev:3;) #alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] Virus Found!"; content: "virus found"; nocase; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002007; sid: 5002007; rev:1;) # Added by Champ Clark - 08/26/2014 alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MALWARE] RASWMI Malware process detected"; pcre: "/ 4688: | 592: /"; content: "|3a|\Windows\system32\wbem\raswmi.dll"; classtype: trojan-activity; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002103; sid:5002103; rev:2;) rules/procurve-normalize.rulebase0000664000175000017500000000360012612177151016545 0ustar champchamp# Sagan procurve-normalize.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #prefix= #FFI: port 14 - Security Violation #rule=: port %-:number% - Security Violation rules/apc-emu.rules0000664000175000017500000000535412612177151013571 0ustar champchamp# Sagan apc-emu.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Humidity violation"; content: "humidity violation,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001057; sid: 5001057; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Humidity violation cleared"; content: "humidity violation cleared,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001058; sid: 5001058; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Front door opened"; content: "Front Door' opened,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001059; sid: 5001059; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[APC-EMU] Front door closed"; content: "Front Door' closed,"; classtype: hardware-event; program: EMU; reference: url,wiki.quadrantsec.com/bin/view/Main/5001060; sid: 5001060; rev:1;) rules/courier-correlated.rules0000664000175000017500000000545612612177151016037 0ustar champchamp# Sagan courier-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Logout/disconnect after suspicious activity"; pcre: "/LOGOUT|DISCONNECTED/"; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; flowbits: isset,by_src,recon|honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002399; sid:5002399; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] User login after suspicious activity"; content: "LOGIN,"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; flowbits: isset,by_src,recon|honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002400; sid:5002400; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER-CORRELATED] Timeout after suspicious activity"; content: "TIMEOUT"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; flowbits: isset,by_src,recon|honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002401; sid:5002401; rev:1;) rules/dovecot.rules0000664000175000017500000000572012612177151013702 0ustar champchamp# Sagan dovecot.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Authentication success"; content: "login"; content: "Login"; classtype: successful-user; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000264; sid:5000264; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Failed login"; content: "Password mismatch"; classtype: unsuccessful-user; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000265; sid:5000265; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Starting up"; content: "starting up"; classtype: system-event; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000266; sid:5000266; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Fatal error"; content: "Fatal"; classtype: program-error; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000267; sid:5000267; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[DOVECOT] Invalid username"; pcre: "/user not found|User not known|unknown user/i"; classtype: unsuccessful-user; program: dovecot; reference: url,wiki.quadrantsec.com/bin/view/Main/5000268; sid:5000268; rev:1;) rules/cisco-pixasa.rules0000664000175000017500000037143412612177151014632 0ustar champchamp# Sagan cisco-pixasa.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Iman Khosravi updated many of these rules to support the Cisco FWSM (firewall service modules). # 06/25/2012. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize 4GE SSM I/O card"; program: %ASA-1-114001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000416; sid: 5000416; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to initialize SFP in 4GE SSM I/O card"; program: %ASA-1-114002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000417; sid: 5000417; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to run cached commands in 4GE SSM I/O card"; program: %ASA-1-114003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000418; sid: 5000418; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function"; program: %ASA-1-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000419; sid: 5000419; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA Marking protocol server ip-addr in server group tag as FAILED"; program: %ASA-2-113022|%FWSM-2-113022; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000420; sid: 5000420; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in - function message"; program: %ASA-2-216001|%FWSM-2-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000421; sid: 5000421; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot locate AK47 instance"; program: %ASA-2-716500; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000422; sid: 5000422; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot attach AK47 instance"; program: %ASA-2-716501; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000423; sid: 5000423; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate default arena"; program: %ASA-2-716502|%FWSM-2-716502; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000424; sid: 5000424; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber descriptors pool"; program: %ASA-2-716503; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000425; sid: 5000425; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber library cannot allocate fiber stacks pool"; program: %ASA-2-716504; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000426; sid: 5000426; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber in unfinished state"; program: %ASA-2-716505; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000427; sid: 5000427; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler has reached unreachable code. Cannot continue terminating"; program: %ASA-2-716507; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000428; sid: 5000428; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling rotten fiber. Cannot continuing terminating"; program: %ASA-2-716508; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000429; sid: 5000429; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling alien fiber. Cannot continue terminating"; program: %ASA-2-716509; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000430; sid: 5000430; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber scheduler is scheduling finished fiber. Cannot continue terminating"; program: %ASA-2-716510; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000431; sid: 5000431; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber has joined fiber waited upon by someone else"; program: %ASA-2-716512; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000432; sid: 5000432; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function Fiber in callback blocked on other channel"; program: %ASA-2-716513; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000433; sid: 5000433; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM failed to allocate memory for AK47 instance"; program: %ASA-2-716515; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000434; sid: 5000434; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted ROL array. Cannot continue terminating"; program: %ASA-2-716516|%FWSM-2-716516; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000435; sid: 5000435; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM cached block has no associated arena"; program: %ASA-2-716517|%FWSM-2-716517; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000436; sid: 5000436; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no associated arena"; program: %ASA-2-716518|%FWSM-2-716518; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000437; sid: 5000437; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM has corrupted pool list. Cannot continue terminating"; program: %ASA-2-716519|%FWSM-2-716519; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000438; sid: 5000438; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM pool has no block list"; program: %ASA-2-716520|%FWSM-2-716520; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000439; sid: 5000439; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM no realloc allowed in named pool"; program: %ASA-2-716521|%FWSM-2-716521; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000440; sid: 5000440; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function OCCAM corrupted standalone block"; program: %ASA-2-716522|%FWSM-2-716522; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000441; sid: 5000441; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_LOAD_FAIL"; program: %ASA-2-716526|%FWSM-2-716526; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000442; sid: 5000442; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] UNICORN_SYSLOGID_PERM_STORAGE_SERVER_STORE_FAIL"; program: %ASA-2-716527|%FWSM-2-716527; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000443; sid: 5000443; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected fiber scheduler error - possible out-of-memory condition"; program: %ASA-2-716528|%FWSM-2-716528; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000444; sid: 5000444; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get port statistics in 4GE SSM I/O card"; program: %ASA-3-114006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000445; sid: 5000445; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get current msr in 4GE SSM I/O card"; program: %ASA-3-114007; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000446; sid: 5000446; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to enable port after link is up in 4GE SSM I/O card"; program: %ASA-3-114008; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000447; sid: 5000447; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast address in 4GE SSM I/O card"; program: %ASA-3-114009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000448; sid: 5000448; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast hardware address in 4GE SSM I/O card"; program: %ASA-3-114010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000449; sid: 5000449; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast address in 4GE SSM I/O card"; program: %ASA-3-114011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000450; sid: 5000450; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to delete multicast hardware address in 4GE SSM I/O card"; program: %ASA-3-114012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000451; sid: 5000451; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address table in 4GE SSM I/O card"; program: %ASA-3-114013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000452; sid: 5000452; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mac address in 4GE SSM I/O card"; program: %ASA-3-114014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000453; sid: 5000453; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set mode in 4GE SSM I/O card"; program: %ASA-3-114015; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000454; sid: 5000454; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set multicast mode in 4GE SSM I/O card"; program: %ASA-3-114016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000455; sid: 5000455; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to get link status in 4GE SSM I/O card"; program: %ASA-3-114017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000456; sid: 5000456; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set port speed in 4GE SSM I/O card"; program: %ASA-3-114018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000457; sid: 5000457; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set media type in 4GE SSM I/O card"; program: %ASA-3-114019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000458; sid: 5000458; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error in function message"; program: %ASA-3-216001|%FWSM-3-216001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000459; sid: 5000459; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] I2C_API_name error"; program: %ASA-3-219002|%FWSM-3-219002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000460; sid: 5000460; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPN Handle error protocol"; program: %ASA-3-316002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000461; sid: 5000461; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot experienced a control channel communications failure"; program: %ASA-3-323001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000462; sid: 5000462; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Hw-module reset is required before further use"; program: %ASA-3-323004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000463; sid: 5000463; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot can not be powered on completely"; program: %ASA-3-323005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000464; sid: 5000464; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Type Module in slot experienced a data channel communication failure, data channel is DOWN"; program: %ASA-3-323006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000465; sid: 5000465; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [1]"; program: %ASA-3-420001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000466; sid: 5000466; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS card not up and fail-close mode used, dropping ICMP packet [2]"; program: %ASA-3-420001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000467; sid: 5000467; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is dropped because application has failed"; program: %ASA-3-421001|%FWSM-3-421001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000468; sid: 5000468; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP|UDP flow from interface is skipped because application has failed"; program: %ASA-3-421007|%FWSM-3-421007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000469; sid: 5000469; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication to SSO server failed"; program: %ASA-3-716056|%FWSM-3-716056; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000470; sid: 5000470; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy session pointer has terminated due to reason error"; program: %ASA-3-719002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000471; sid: 5000471; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [1]"; program: %ASA-3-722007|%FWSM-3-722007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000472; sid: 5000472; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [2]"; program: %ASA-3-722008|%FWSM-3-722008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000473; sid: 5000473; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Message ERROR message [3]"; program: %ASA-3-722009|%FWSM-3-722009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000474; sid: 5000474; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to shut down. Module Error"; program: %ASA-4-413001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000475; sid: 5000475; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot is not able to reload. Module Error"; program: %ASA-4-413002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000476; sid: 5000476; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Module in slot failed to write software. Trying again"; program: %ASA-4-413004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000477; sid: 5000477; rev: 2;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPS requested to drop ICMP packets"; program: %ASA-4-420002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000478; sid: 5000478; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBNS pkt"; program: %ASA-4-423001|%FWSM-4-423001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000479; sid: 5000479; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBNS pkt"; program: %ASA-4-423002|%FWSM-4-423002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000480; sid: 5000480; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} invalid NBDGM pkt"; program: %ASA-4-423003|%FWSM-4-423003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000481; sid: 5000481; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} mismatched NBDGM pkt"; program: %ASA-4-423004|%FWSM-4-423004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000482; sid: 5000482; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {Allowed | Dropped} NBDGM pkt"; program: %ASA-4-423005|%FWSM-4-423005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000483; sid: 5000483; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Packet denied. [Ingress|Egress] interface is in a backup state"; program: %ASA-4-424001|%FWSM-4-424001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000484; sid: 5000484; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection to the backup interface is denied"; program: %ASA-4-424002|%FWSM-4-424002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000485; sid: 5000485; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic, licensed host limit exceeded."; program: %ASA-4-450001|%FWSM-4-450001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000486; sid: 5000486; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Received DH key with bad length"; program: %ASA-4-713240|%FWSM-4-713240; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000487; sid: 5000487; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Unexpected error in Next Card Code mode while not doing SDI"; program: %ASA-4-713247; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000488; sid: 5000488; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Received authentication failure message"; program: %ASA-4-713251|%FWSM-4-713251; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000489; sid: 5000489; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize with Chunk Manager"; program: %ASA-4-720001|%FWSM-4-720001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000490; sid: 5000490; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate chunk from Chunk Manager"; program: %ASA-4-720007|%FWSM-4-720007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000491; sid: 5000491; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to register to High Availability Framework"; program: %ASA-4-720008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000492; sid: 5000492; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to create version control block"; program: %ASA-4-720009|%FWSM-4-720009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000493; sid: 5000493; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to allocate memory"; program: %ASA-4-720011|%FWSM-4-720011; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000494; sid: 5000494; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to insert certificate in trust point"; program: %ASA-4-720013|%FWSM-4-720013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000495; sid: 5000495; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to queue add to message queue"; program: %ASA-4-720033|%FWSM-4-720033; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000496; sid: 5000496; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type message id to standby unit"; program: %ASA-4-720043|%FWSM-4-720043; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000497; sid: 5000497; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to receive message from active unit"; program: %ASA-4-720044|%FWSM-4-720044; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000498; sid: 5000498; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to sync SDI node secret file for server on the standby unit"; program: %ASA-4-720047|%FWSM-4-720047; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000499; sid: 5000499; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new SDI node secret file for server id on the standby unit"; program: %ASA-4-720051|%FWSM-4-720051; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000500; sid: 5000500; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to delete SDI node secret file for server id on the standby unit"; program: %ASA-4-720052|%FWSM-4-720052; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000501; sid: 5000501; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add cTCP IKE rule during bulk sync"; program: %ASA-4-720053|%FWSM-4-720053; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000502; sid: 5000502; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP record"; program: %ASA-4-720054|%FWSM-4-720054; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000503; sid: 5000503; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover can only be run in single/non-transparent mode"; program: %ASA-4-720055; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000504; sid: 5000504; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP database"; program: %ASA-4-720064|%FWSM-4-720064; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000505; sid: 5000505; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to add new cTCP IKE rule"; program: %ASA-4-720065|%FWSM-4-720065; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000506; sid: 5000506; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate IKE database"; program: %ASA-4-720066|%FWSM-4-720066; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000507; sid: 5000507; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate IKE database"; program: %ASA-4-720067|%FWSM-4-720067; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000508; sid: 5000508; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to parse peer message"; program: %ASA-4-720068|%FWSM-4-720068; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000509; sid: 5000509; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to activate cTCP database"; program: %ASA-4-720069; classtype|%FWSM-4-720069: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000510; sid: 5000510; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to deactivate cTCP database"; program: %ASA-4-720070|%FWSM-4-720070; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000511; sid: 5000511; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to insert certificate in trust point on the standby unit"; program: %ASA-4-720073|%FWSM-4-720073; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000512; sid: 5000512; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error parsing SVC connect request"; program: %ASA-4-722001|%FWSM-4-722001; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000513; sid: 5000513; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error consolidating SVC connect request."; program: %ASA-4-722002|%FWSM-4-722002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000514; sid: 5000514; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error authenticating SVC connect request"; program: %ASA-4-722003|%FWSM-4-722003; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000515; sid: 5000515; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error responding to SVC connect request"; program: %ASA-4-722004|%FWSM-4-722004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000516; sid: 5000516; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC frame length length expected"; program: %ASA-4-722016|%FWSM-4-722016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000517; sid: 5000517; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC framing 525446, reserved 0"; program: %ASA-4-722017|%FWSM-4-722017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000518; sid: 5000518; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad SVC protocol version"; program: %ASA-4-722018|%FWSM-4-722018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000519; sid: 5000519; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to allocate a large memory block failed"; program: %ASA-5-402128|%FWSM-5-402128; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000520; sid: 5000520; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] META-DATA Rekey initiation is being disabled during CRACK authentication"; program: %ASA-5-713248|%FWSM-5-713248; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000521; sid: 5000521; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. VPN Tunnel creation rejected for client"; program: %ASA-5-713252; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000522; sid: 5000522; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Integrity Firewall Server is not available. Entering ALLOW mode. VPN Tunnel created for client"; program: %ASA-5-713253; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000523; sid: 5000523; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to initialize default timer"; program: %ASA-5-720016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000525; sid: 5000525; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update LB runtime data"; program: %ASA-5-720017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000526; sid: 5000526; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to get a buffer from the underlying core high availability subsystem"; program: %ASA-5-720018; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000527; sid: 5000527; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP statistics"; program: %ASA-5-720019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000528; sid: 5000528; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to send type timer message"; program: %ASA-5-720020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000529; sid: 5000529; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] HA non-block send failed for peer msg. HA error code."; program: %ASA-5-720021; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000530; sid: 5000530; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Fail to look up CTCP flow handle"; program: %ASA-5-720035; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000531; sid: 5000531; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to process state update message from the active peer"; program: %ASA-5-720036; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000532; sid: 5000532; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update cTCP dynamic data"; program: %ASA-5-720071; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000533; sid: 5000533; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Timeout waiting for Integrity Firewall Server to become available"; program: %ASA-5-720072|%FWSM-5-720072; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000534; sid: 5000534; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO An attempt to release a DMA memory block failed, location address"; program: %ASA-6-402129|%FWSM-6-402129; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000535; sid: 5000535; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN access DENIED to specified location url"; program: %ASA-6-716004; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000536; sid: 5000536; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN ACL Parse Error"; program: %ASA-6-716005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000537; sid: 5000537; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN session not allowed. WebVPN ACL parse error"; program: %ASA-6-716009; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000538; sid: 5000538; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Reboot pending, new sessions disabled. Denied user login"; program: %ASA-6-716040|%FWSM-6-716040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000539; sid: 5000539; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding to ACL"; program: %ASA-6-716050|%FWSM-6-716050; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000540; sid: 5000540; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error adding dynamic ACL for user"; program: %ASA-6-716051|%FWSM-6-716051; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000541; sid: 5000541; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy feature is disabled on interface"; program: %ASA-6-719010|%FWSM-6-719010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000542; sid: 5000542; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization failed"; program: %ASA-6-719019; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000543; sid: 5000543; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN authorization completed successfully"; program: %ASA-6-719020; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000544; sid: 5000544; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN has not been successfully authenticated. Access denied"; program: %ASA-6-719023; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000545; sid: 5000545; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy piggyback auth fail session"; program: %ASA-6-719024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000546; sid: 5000546; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Email Proxy DNS name resolution failed for hostname"; program: %ASA-6-719025; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000547; sid: 5000547; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Starting VPN Stateful Failover Subsystem"; program: %ASA-6-720002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000548; sid: 5000548; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Initialization of VPN Stateful Failover Component completed successfully"; program: %ASA-6-720003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000549; sid: 5000549; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover main thread started"; program: %ASA-6-720004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000550; sid: 5000550; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover timer thread started"; program: %ASA-6-720005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000551; sid: 5000551; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover sync thread started"; program: %ASA-6-720006; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000552; sid: 5000552; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is being disabled"; program: %ASA-6-720010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000553; sid: 5000553; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] Failed to update IPSec failover runtime data on the standby unit"; program: %ASA-6-720012; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000554; sid: 5000554; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to active state"; program: %ASA-6-720039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000555; sid: 5000555; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN failover client is transitioning to standby state"; program: %ASA-6-720040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000556; sid: 5000556; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Message Thread is being disabled"; program: %ASA-6-720056; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000557; sid: 5000557; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Timer Thread is disabled"; program: %ASA-6-720058; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000559; sid: 5000559; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [VPN-unit] VPN Stateful failover Sync Thread is disabled."; program: %ASA-6-720060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000561; sid: 5000561; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Global Compression Disabled"; program: %ASA-6-722025|%FWSM-6-722025; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000563; sid: 5000563; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Device failed SSL handshake"; program: %ASA-6-725006|%FWSM-6-725006; classtype: bad-unknown; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000564; sid: 5000564; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to inject {TCP|UDP} packet"; program: %ASA-7-421004|%FWSM-7-421004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000565; sid: 5000565; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File access DENIED, filename"; program: %ASA-7-716021|%FWSM-7-716021; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000566; sid: 5000566; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse the network"; program: %ASA-7-716024|%FWSM-7-716024; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000567; sid: 5000567; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse domain domain"; program: %ASA-7-716025|%FWSM-7-716025; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000568; sid: 5000568; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to browse directory"; program: %ASA-7-716026|%FWSM-7-716026; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000569; sid: 5000569; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to view file"; program: %ASA-7-716027|%FWSM-7-716027; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000570; sid: 5000570; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove file"; program: %ASA-7-716028|%FWSM-7-716028; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000571; sid: 5000571; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to rename file"; program: %ASA-7-716029|%FWSM-7-716029; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000572; sid: 5000572; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to modify file"; program: %ASA-7-716030|%FWSM-7-716030; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000573; sid: 5000573; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create file"; program: %ASA-7-716031|%FWSM-7-716031; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000574; sid: 5000574; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to create folder"; program: %ASA-7-716032|%FWSM-7-716032; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000575; sid: 5000575; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to remove folder"; program: %ASA-7-716033|%FWSM-7-716033; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000576; sid: 5000576; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] File Access User failed to login into the server"; program: %ASA-7-716037|%FWSM-7-716037; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000577; sid: 5000577; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination"; program: %ASA-7-722030|%FWSM-7-722030; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000579; sid: 5000579; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SVC Session Termination Out"; program: %ASA-7-722031|%FWSM-7-722031; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000580; sid: 5000580; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix encountered bad flow control flow"; program: %ASA-7-723004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000581; sid: 5000581; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix SOCKS errors"; program: %ASA-7-723006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000582; sid: 5000582; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix receives bad SOCKS socks message length"; program: %ASA-7-723011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000583; sid: 5000583; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] WebVPN Citrix received bad SOCKS socks message format"; program: %ASA-7-723012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000584; sid: 5000584; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL lib error"; program: %ASA-7-725014|%FWSM-7-725014 ; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000585; sid: 5000585; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dynamic DNS Update failed"; program: %ASA-3-331001|%PIX-3-331001|%FWSM-3-331001 ; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000586; sid: 5000586; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Switching to ACTIVE";program: %ASA-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000587; sid: 5000587; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104002 [Primary] Switching to STNDBY [cause string]."; program: %ASA-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000588; sid: 5000588; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104003 [Primary] Switching to FAILED"; program: %ASA-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000589; sid: 5000589; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-104004 [Primary] Switching to OK."; program: %ASA-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000590; sid: 5000590; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA]%PIX|ASA-1-105037 The primary and standby units are switching back and forth as the active unit"; program: %ASA-1-105037|%FWSM-1-105037; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000591; sid: 5000591; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test"; program: %ASA-2-218004|%PIX-2-218004|%FWSM-2-218004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000592; sid: 5000592; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable OK"; program: %ASA-1-101001|%PIX-1-101001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000595; sid: 5000595; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Bad failover cable"; program: %ASA-1-101002|%PIX-1-101002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000596; sid: 5000596; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [this unit]"; program: %ASA-1-101003|%PIX-1-101003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000597; sid: 5000597; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable not connected [other unit]"; program: %ASA-1-101004|%PIX-1-101004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000598; sid: 5000598; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Error reading failover cable status"; program: %ASA-1-101005|%PIX-1-101005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000599; sid: 5000599; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Power failure/System reload other side"; program: %ASA-1-102001|%PIX-1-102001|%FWSM-1-102001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000600; sid: 5000600; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] No response from other firewall"; program: %ASA-1-103001|%PIX-1-103001|%FWSM-1-103001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000601; sid: 5000601; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface OK"; program: %ASA-1-103002|%PIX--1-103002|%FWSM-1-103002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000602; sid: 5000602; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall network interface failed"; program: %ASA-1-103003|%PIX-1-103003|%FWSM-1-103003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000603; sid: 5000603; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reports this firewall failed"; program: %ASA-1-103004|%PIX-1-103004|%FWSM-1-103004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000604; sid: 5000604; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Other firewall reporting failure"; program: %ASA-1-103005|%PIX-1-103005|%FWSM-1-103005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000605; sid: 5000605; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to ACTIVE"; program: %ASA-1-104001|%PIX-1-104001|%FWSM-1-104001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000606; sid: 5000606; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to STNDBY"; program: %ASA-1-104002|%PIX-1-104002|%FWSM-1-104002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000607; sid: 5000607; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to FAILED"; program: %ASA-1-104003|%PIX-1-104003|%FWSM-1-104003; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000608; sid: 5000608; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Switching to OK"; program: %ASA-1-104004|%PIX-1-104004|%FWSM-1-104004; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000609; sid: 5000609; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Disabling failover"; program: %ASA-1-105001|%PIX-1-105001|%FWSM-1-105001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000610; sid: 5000610; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Enabling failover"; program: %ASA-1-105002|%PIX-1-105002|%FWSM-1-105002; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000611; sid: 5000611; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Lost Failover communications with mate on interface"; program: %ASA-1-105005|%PIX-1-105005|%FWSM-1-105005; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000612; sid: 5000612; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover cable communication failure"; program: %ASA-1-105011|%PIX-1-105011; p"cre: "/%PIX-|%ASA-/"; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000614; sid: 5000614; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [failover_unit] Standby unit failed to sync due to a locked config"; program: %ASA-1-105021|%PIX-1-105021|%FWSM-1-105021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000615; sid: 5000615; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failover LAN interface is up"; program: %ASA-1-105031|%PIX-1-105031; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000616; sid: 5000616; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LAN Failover interface is down"; program: %ASA-1-105032|%PIX-1-105032; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000617; sid: 5000617; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN_FAILOVER_UP message from peer"; program: %ASA-1-105034|%PIX-1-105034; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000618; sid: 5000618; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Receive a LAN failover interface down msg from peer"; program: %ASA-1-105035|%PIX-1-105035; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000619; sid: 5000619; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] dropped a LAN Failover command message"; program: %ASA-1-105036|%PIX-1-105036; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000620; sid: 5000620; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Unable to verify the Interface count with mate. Failover may be disabled in mate"; program: %ASA-1-105039|%PIX-1-105039; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000621; sid: 5000621; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Mate failover version is not compatible"; program: %ASA-1-105040|%PIX-1-105040; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000622; sid: 5000622; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface OK"; program: %ASA-1-105042|%PIX-1-105042; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000623; sid: 5000623; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover interface failed"; program: %ASA-1-105043|%PIX-1-105043; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000624; sid: 5000624; rev: 2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol reverse path check"; program: %ASA-1-106021|%PIX-1-106021|%FWSM-1-106021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000625; sid: 5000625; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol connection spoof"; program: %ASA-1-106022|%PIX-1-106022|%FWSM-1-106022; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000626; sid: 5000626; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The number of ACL log deny-flows has reached limit"; program: %ASA-1-106101|%PIX-1-106101|%FWSM-1-106101; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000627; sid: 5000627; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP auth failed"; program: %ASA-1-107001|%PIX-1-107001|%FWSM-1-107001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000628; sid: 5000628; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP pkt failed"; program: %ASA-1-107002|%PIX-1-107002|%FWSM-1-107002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000629; sid: 5000629; rev: 3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound TCP connection denied"; program: %ASA-2-106001|%PIX-2-106001|%FWSM-2-106001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000631; sid: 5000631; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection denied by outbound ACL"; program: %ASA-2-106002|%PIX-2-106002|%FWSM-2-106002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000632; sid: 5000632; rev: 3;) #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound UDP"; program: %ASA-2-106006|%PIX-2-106006|%FWSM-2-106006; classtype: bad-unknown; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5000633; sid: 5000633; rev: 3;) #alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] Deny inbound UDP from outside due to DNS {Response|Query}"; program: %ASA-2-106007|%PIX-2-106007|%FWSM-2-106007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000634; sid: 5000634; rev: 4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping echo request"; program: %ASA-2-106013|%PIX-2-106013|%FWSM-2-106013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000635; sid: 5000635; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP spoof [0/5]"; program: %ASA-2-106016|%PIX-2-106016|%FWSM-2-106016; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000636; sid: 5000636; rev: 7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP due to Land Attack [0/5]"; program: %ASA-2-106017|%PIX-2-106017|%FWSM-2-106017; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000637; sid: 5000637; rev: 5;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ICMP denied by outbound ACL"; program: %ASA-2-106018|%PIX-2-106018|%FWSM-2-106018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000638; sid: 5000638; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP teardrop fragment [0/5]"; program: %ASA-2-106020|%PIX-2-106020|%FWSM-2-106020; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000639; parse_src_ip: 1; sid: 5000639; rev: 6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad route_compress"; program: %ASA-2-215001|%PIX-2-215001|%FWSM-2-215001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000640; sid: 5000640; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed Identification Test in slot"; program: %ASA-2-218001|%PIX-2-218001|%FWSM-2-218001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000641; sid: 5000641; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] Dropped DNS responses with mis-matched id"; program: %ASA-2-410002|%PIX-2-410002|%FWSM-2-410002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000642; sid: 5000642; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Configuration replication failed for command"; program: %ASA-2-709007|%PIX-2-709007|%FWSM-2-709007; classtype: configuration-error ; reference: url, wiki.quadrantsec.com/bin/view/Main/5000643; sid: 5000643; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected event"; program: %ASA-2-717011|%PIX-2-717011|%FWSM-2-717011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000644; sid: 5000644; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] [Primary] Failover message block alloc failed"; program: %ASA-3-105010|%PIX-3-105010|%FWSM-3-105010; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000645; sid: 5000645; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound protocol"; program: %ASA-3-106010|%PIX-3-106010|%FWSM-3-106010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000646; sid: 5000646; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound [No xlate]"; program: %ASA-3-106011|%PIX-3-106011|%FWSM-3-106011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000647; sid: 5000647; rev: 3;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny inbound ICMP"; program: %ASA-3-106014|%PIX-3-106014|%FWSM-3-106014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000648; sid: 5000648; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [too many pending auths]"; program: %ASA-3-109010|%PIX-3-109010|%FWSM-3-109010; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000649; sid: 5000649; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Can't find authorization ACL for user"; program: %ASA-3-109016|%PIX-3-109016|%FWSM-3-109016; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000650; sid: 5000650; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has parsing error"; program: %ASA-3-109019|%PIX-3-109019|%FWSM-3-109019; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000651; sid: 5000651; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Downloaded ACL has config error"; program: %ASA-3-109020|%PIX-3-109020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000652; sid: 5000652; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to install ACL, downloaded for user"; program: %ASA-3-109032|%PIX-3-109032|%FWSM-3-109032; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000653; sid: 5000653; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Kerberos error. Clock skew with server greater than 300 seconds"; program: %ASA-3-113020|%PIX-3-113020|%FWSM-3-109020; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000654; sid: 5000654; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] FTP data connection failed"; program: %ASA-3-201005|%PIX-3-201005|%FWSM-3-201005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000655; sid: 5000655; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-PIXASA] RCMD backconnection failed "; program: %ASA-3-201006|%PIX-3-201006|%FWSM-3-201006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000656; sid: 5000656; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU sw_module_name error"; program: %ASA-3-210001|%PIX-3-210001|%FWSM-3-210001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000657; sid: 5000657; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate block [bytes] failed"; program: %ASA-3-210002|%PIX-3-210002|%FWSM-3-210002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000658; sid: 5000658; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate connection failed"; program: %ASA-3-210005|%PIX-3-210005|%FWSM-3-210005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000659; sid: 5000659; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU look NAT failed"; program: %ASA-3-210006|%PIX-3-210006|%FWSM-3-210006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000660; sid: 5000660; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU allocate xlate failed"; program: %ASA-3-210007|%PIX-3-210007|%FWSM-3-210007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000661; sid: 5000661; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU make UDP connection for outside to inside failed"; program: %ASA-3-210010|%PIX-3-210010|%FWSM-3-210010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000662; sid: 5000662; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU PAT port reserve failed"; program: %ASA-3-210020|%PIX-3-210020|%FWSM-3-210020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000663; sid: 5000663; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] LU create static xlate interface failed"; program: %ASA-3-210021|%PIX-3-210021|%FWSM-3-210021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000664; sid: 5000664; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Memory allocation Error"; program: %ASA-3-211001|%PIX-3-211001|%FWSM-3-211001; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000665; sid: 5000665; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP channel"; program: %ASA-3-212001|%PIX-3-212001|%FWSM-3-212001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000666; sid: 5000666; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unable to open SNMP trap channel"; program: %ASA-3-212002|%PIX-3-212002|%FWSM-3-212002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000667; sid: 5000667; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Unable to receive an SNMP request on interface"; program: %ASA-3-212003|%PIX-3-212003|%FWSM-3-212003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000668; sid: 5000668; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Unable to send an SNMP response"; program: %ASA-3-212004|%PIX-3-212004|%FWSM-3-212004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000669; sid: 5000669; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Dropping SNMP request"; program: %ASA-3-212006|%PIX-3-212006|%FWSM-3-212006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000670; sid: 5000670; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPTP tunnel hashtable insert failed"; program: %ASA-3-213002|%PIX-3-213002|%FWSM-3-213002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000671; sid: 5000671; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPP virtual interface client ip allocation failed"; program: %ASA-3-213004|%PIX-3-213004|%FWSM-3-213004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000672; sid: 5000672; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H.323 library_name ASN Library failed to initialize"; program: %ASA-3-302019|%PIX-3-302019|%FWSM-3-302019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000673; sid: 5000673; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ACL = deny no sa created"; program: %ASA-3-302302|%PIX-3-302302|%FWSM-3-302302; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000674; sid: 5000674; rev: 4;) # Disabled on 04/12/2014 - Considered to noisy & of little value (Champ Clark III) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] {outbound static|identity|portmap|regular] translation creation failed"; program: %ASA-3-305006|%PIX-3-305006|%FWSM-3-305006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000675; sid: 5000675; rev: 3;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA-3-313001|%PIX-3-313001|%FWSM-3-313001; classtype: bad-unknown; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5000676; sid: 5000676; rev: 4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMPv6"; program: %ASA-3-313008|%PIX-3-313008|%FWSM-3-313008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000677; sid: 5000677; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-PIXASA] Fail to establish SSH session because RSA host key retrieval failed"; program: %ASA-3-315004|%PIX-3-315004|%FWSM-3-315004; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000678; sid: 5000678; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied new tunnel limit exceeded"; program: %ASA-3-316001|%PIX-3-316001|%FWSM-3-316001; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000679; sid: 5000679; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP routing table creation failure"; program: %ASA-3-317003|%PIX-3-317003|%FWSM-3-317003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000681; sid: 5000681; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA-3-318001|%PIX-3-318001|%FWSM-3-318001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000682; sid: 5000682; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Arp update for IP address address to NPn failed"; program: %ASA-3-319003|%PIX-3-319003|%FWSM-3-319003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000683; sid: 5000683; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Route update for IP address failed"; program: %ASA-3-319004|%PIX-3-319004|%FWSM-3-319004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000684; sid: 5000684; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny MAC address possible spoof attempt"; program: %ASA-3-322001|%PIX-3-322001|%FWSM-3-322001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000685; sid: 5000685; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [1]"; program: %ASA-3-322002|%PIX-3-322002|%FWSM-3-322002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000686; sid: 5000686; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ARP inspection check failed [2]"; program: %ASA-3-322003|%PIX-3-322003|%FWSM-3-322003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000687; sid: 5000687; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] GSN tunnel limit exceeded"; program: %ASA-3-324006|%PIX-3-324006|%FWSM-3-324006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000690; sid: 5000690; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Radius Accounting Request has a bad header length"; program: %ASA-3-324301|%PIX-3-324301|%FWSM-3-324301; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000691; sid: 5000691; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Unexpected error in the timer library"; program: %ASA-3-326001|%PIX-3-326001|%FWSM-3-326001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000692; sid: 5000692; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA-3-326002|%PIX-3-326002|%FWSM-3-326002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000693; sid: 5000693; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA-3-326004|%PIX-3-326004|%FWSM-3-326004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000694; sid: 5000694; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Mrib notification failed"; program: %ASA-3-326005|%PIX-3-326005|%FWSM-3-326005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000695; sid: 5000695; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-creation failed"; program: %ASA-3-326006|%PIX-3-326006|%FWSM-3-326006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000696; sid: 5000696; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Entry-update failed"; program: %ASA-3-326007|%PIX-3-326007|%FWSM-3-326007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000697; sid: 5000697; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB registration failed"; program: %ASA-3-326008|%PIX-3-326008|%FWSM-3-326008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000698; sid: 5000698; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB connection-open failed"; program: %ASA-3-326009|%PIX-3-326009|%FWSM-3-326009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000699; sid: 5000699; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB unbind failed"; program: %ASA-3-326010|%PIX-3-326010|%FWSM-3-326010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000700; sid: 5000700; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] MRIB table deletion failed"; program: %ASA-3-326011|%PIX-3-326011|%FWSM-3-326011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000701; sid: 5000701; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization of string functionality failed"; program: %ASA-3-326012|%PIX-3-326012|%FWSM-3-326012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000702; sid: 5000702; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal error"; program: %ASA-3-326013|%PIX-3-326013|%FWSM-3-326013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000703; sid: 5000703; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Initialization failed"; program: %ASA-3-326014|%PIX-3-326014|%FWSM-3-326014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000704; sid: 5000704; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Communication error"; program: %ASA-3-326015|%PIX-3-326015|%FWSM-3-326015; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000705; sid: 5000705; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to set un-numbered interface"; program: %ASA-3-326016|%PIX-3-326016|%FWSM-3-326016; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000706; sid: 5000706; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Interface Manager error"; program: %ASA-3-326017|%PIX-3-326017|%FWSM-3-326017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000707; sid: 5000707; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] List error"; program: %ASA-3-326020|%PIX-3-326020|%FWSM-3-326020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000708; sid: 5000708; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA-3-326021|%PIX-3-326021|%FWSM-3-326021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000709; sid: 5000709; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error"; program: %ASA-3-326022|%PIX-3-326022|%FWSM-3-326022; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000710; sid: 5000710; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] An internal error occurred while processing a packet queue"; program: %ASA-3-326024|%PIX-3-326024|%FWSM-3-326024; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000711; sid: 5000711; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Server unexpected error"; program: %ASA-3-326026|%PIX-3-326026|%FWSM-3-326026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000712; sid: 5000712; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Corrupted update"; program: %ASA-3-326027|%PIX-3-326027|%FWSM-3-326027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000713; sid: 5000713; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asynchronous error"; program: %ASA-3-326028|%PIX-3-326028|%FWSM-3-326028; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000714; sid: 5000714; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Failed to initialize, will not work"; program: %ASA-3-327002|%PIX-3-327002|%FWSM-3-327002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000715; sid: 5000715; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP SLA Monitor Generic Timer wheel timer functionality failed to initialize"; program: %ASA-3-327003|%PIX-3-327003|%FWSM-3-327003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000716; sid: 5000716; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADO - packet dropped"; program: %ASA-3-403501|%PIX-3-403501|%FWSM-3-403501; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000717; sid: 5000717; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE - Bad host-unique in PADS - dropping packet"; program: %ASA-3-403502|%PIX-3-403502|%FWSM-3-403502; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000718; sid: 5000718; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoEPPPoE client on interface failed to locate PPPoE vpdn group"; program: %ASA-3-403507|%PIX-3-403507|%FWSM-3-403507; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000719; sid: 5000719; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] Failed to save logging buffer using filename to FTP server"; program: %ASA-3-414001|%PIX-3-414001|%FWSM-3-414001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000720; sid: 5000720; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to save logging buffer to flash or syslog directory using file name filename"; program: %ASA-3-414002|%PIX-3-414002|%FWSM-3-414002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000721; sid: 5000721; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Packet denied"; program: %ASA-3-610001|%PIX-3-610001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000722; sid: 5000722; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NTP daemon Authentication failed"; program: %ASA-3-610002|%PIX-3-610002|%FWSM-3-610002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000723; sid: 5000723; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Backup Server List Error"; program: %ASA-3-611313|%PIX-3-611313; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000724; sid: 5000724; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error processing payload"; program: %ASA-3-713048|%PIX-3-713048|%FWSM-3-713048; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000725; sid: 5000725; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User matched with group name, check failed"; program: %ASA-3-713059|%PIX-3-713059; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000726; sid: 5000726; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel Rejected User not member of group, check failed"; program: %ASA-3-713060|%PIX-3-713060; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000727; sid: 5000727; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to retrieve identity certificate"; program: %ASA-3-713082|%PIX-3-713082; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000728; sid: 5000728; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Set Cert filehandle failure no IPSec SA in group"; program: %ASA-3-713088|%PIX-3-713088; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000729; sid: 5000729; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Request attempt failed!"; program: %ASA-3-713107|%PIX-3-713107; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000730; sid: 5000730; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to process CONNECTED notify!"; program: %ASA-3-713112|%PIX-3-713112; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000731; sid: 5000731; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client-reported firewall does not match configured firewall action tunnel"; program: %ASA-3-713141|%PIX-3-713141; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000732; sid: 5000732; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Client did not report firewall in use, but there is a configured firewall action tunnel"; program: %ASA-3-713142|%PIX--3-713142; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000733; sid: 5000733; rev: 2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP Connection to Firewall Server has been lost, restricted tunnels are now allowed full network access"; program: %ASA-3-713159|%PIX-3-713159; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000734; sid: 5000734; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user network access has been restricted by the Firewall Server"; program: %ASA-3-713161|%PIX-3-713161; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000735; sid: 5000735; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been rejected by the Firewall Server"; program: %ASA-3-713162|%PIX-3-713162; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000736; sid: 5000736; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been terminated by the Firewall Server"; program: %ASA-3-713163|%PIX-3-713163; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000737; sid: 5000737; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Headend security gateway has failed our user authentication attempt - check configured username and password"; program: %ASA-3-713166|%PIX-3-713166; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000738; sid: 5000738; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote peer has failed user authentication - check configured username and password [10/5]"; program: %ASA-3-713167|%PIX-3-713167; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000739; sid: 5000739; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error Username too long - connection aborted"; program: %ASA-3-713185|%PIX-3-713185; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000740; sid: 5000740; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User Authorization failed"; program: %ASA-3-713198|%PIX-3-713198|%FWSM-3-713198; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000741; sid: 5000741; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE Receiver Error reading from socket"; program: %ASA-3-713203|%PIX-3-713203; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000742; sid: 5000742; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Connection failed with peer, no trust-point defined"; program: %ASA-3-713226|%PIX-3-713226; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000743; sid: 5000743; rev: 2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to lock bit that is already locked"; program: %ASA-3-713230|%PIX-3-713230|%FWSM-3-713230; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000744; sid: 5000744; rev: 4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal Error, ike_lock trying to unlock bit that is not locked"; program: %ASA-3-713231|%PIX-3-713231|%FWSM-3-713231; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000745; sid: 5000745; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Querying keypair failed"; program: %ASA-3-717001|%PIX-3-717001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000746; sid: 5000746; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate enrollment failed for trustpoint"; program: %ASA-3-717002|%PIX-3-717002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000747; sid: 5000747; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate validation failed"; program: %ASA-3-717009|%PIX-3-717009; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000748; sid: 5000748; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRL polling failed for trustpoint"; program: %ASA-3-717010|%PIX-3-717010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000749; sid: 5000749; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to refresh CRL cache entry from the server for trustpoint"; program: %ASA-3-717012|%PIX-3-717012; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000750; sid: 5000750; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to query CA certificate for trustpoint"; program: %ASA-3-717017|%PIX-3-717017; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000751; sid: 5000751; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to insert CRL for trustpoint"; program: %ASA-3-717019|%PIX-3-717019; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000752; sid: 5000752; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] SSL failed to set device certificate for trustpoint"; program: %ASA-3-717023|%PIX-3-717023; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000753; sid: 5000753; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate chain failed validation"; program: %ASA-3-717027|%PIX-3-717027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000754; sid: 5000754; rev: 2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny protocol"; program: %ASA-4-106023|%PIX-4-106023|%FWSM-4-106023; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000755; sid: 5000755; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context for the packetvlansource Vlan"; program: %ASA-4-106027|%PIX-4-106027|%FWSM-4-106027; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000756; sid: 5000756; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NT Domain Authentication Failed rejecting guest login for username."; program: %ASA-4-109031|%PIX-4-109031|%FWSM-4-109031; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000757; sid: 5000757; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for admin user"; program: %ASA-4-109033|%PIX-4-109033|%FWSM-4-109033; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5000758; sid: 5000758; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for network user"; program: %ASA-4-109034|%PIX-4-109034|%FWSM-4-109034; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000759; sid: 5000759; rev: 3;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Denied ICMP"; program: %ASA-4-313004|%PIX-4-313004|%FWSM-4-313004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000760; sid: 5000760; rev: 3;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No matching connection for ICMP error"; program: %ASA-4-313005|%PIX-4-313005|%FWSM-4-313005; classtype: bad-unknown; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5000761; sid: 5000761; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC Downloaded ACL parse failure"; program: %ASA-4-335005|%PIX-4-335005|%FWSM-4-335005; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000762; sid: 5000762; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Shun add failed unable to allocate resources"; program: %ASA-4-401005|%PIX-4-401005|%FWSM-4-401005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000763; sid: 5000763; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed anti-replay checking [0/5]"; program: %ASA-4-402119|%PIX-4-402119|%FWSM-4-402119; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000764; sid: 5000764; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IPSEC Received an protocol packet from remote IP to local IP that failed authentication [0/5]"; program: %ASA-4-402120|%PIX-4-402120; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5000765; sid: 5000765; rev: 6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] CRYPTO The hardware accelerator encountered an error while executing crypto command"; program: %ASA-4-402123|%PIX-4-402123|%FWSM-4-402123; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000766; sid: 5000766; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PPPoE failed to assign PPP IP address"; program: %ASA-4-403506|%PIX-4-403506|%FWSM-4-403506; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000767; sid: 5000767; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg: "[CISCO-PIXASA] ISAKMP Failed to allocate address for client from pool string"; program: %ASA-4-404101|%PIX-4-404101|%FWSM-4-404101; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000768; sid: 5000768; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] H225 message contains bad protocol discriminator hex"; program: %ASA-4-405103|%PIX-4-405103|%FWSM-4-405103; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000769; sid: 5000769; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny traffic for local-host, license limit of number exceeded"; program: %ASA-4-407001|%PIX-4-407001|%FWSM-4-407001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000770; sid: 5000770; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-PIXASA] Dropped UDP SNMP packet"; program: %ASA-4-416001|%PIX-4-416001|%FWSM-4-416001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000771; sid: 5000771; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Filter violation error conn number"; program: %ASA-4-417004|%PIX-4-417004|%FWSM-4-417004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000772; sid: 5000772; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Through-the-device packet to/from management-only network is denied"; program: %ASA-4-418001|%PIX-4-418001|%FWSM-4-418001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000773; sid: 5000773; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping TCP packet, reason MSS exceeded, MSS size, data size"; program: %ASA-4-419001|%PIX-4-419001|%FWSM-4-419001; parse_src_ip: 1; parse_dst_ip: 2; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5000774; sid: 5000774; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTP conformance Dropping RTP packet"; program: %ASA-4-431001|%PIX-4-431001|%FWSM-4-431001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000775; sid: 5000775; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RTCP conformance Dropping RTCP packet"; program: %ASA-4-431002|%PIX-4-431002|%FWSM-4-431002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000776; sid: 5000776; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too small"; program: %ASA-4-608002|%PIX-4-608002|%FWSM-4-608002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000777; sid: 5000777; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message length value too large"; program: %ASA-4-608003|%PIX-4-608003|%FWSM-4-608003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000778; sid: 5000778; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value not allowed"; program: %ASA-4-608004|%PIX-4-608004|%FWSM-4-608004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000779; sid: 5000779; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropping Skinny message id value registration not complete"; program: %ASA-4-608005|%PIX-4-608005|%FWSM-4-608005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000780; sid: 5000780; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA-4-612002|%PIX-4-612002|%FWSM-4-612002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000781; sid: 5000781; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auto Update failed"; program: %ASA-4-612003|%PIX-4-612003|%FWSM-4-612003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000782; sid: 5000782; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-PIXASA] DNS lookup for Server failed!"; program: %ASA-4-713154|%PIX-4-713154|%FWSM-4-713154; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000783; sid: 5000783; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Name lookup failed for hostname during PKI operation"; program: %ASA-4-717026|%PIX-4-717026|%FWSM-4-717026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000784; sid: 5000784; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to find a suitable trustpoint for issuer"; program: %ASA-4-717031|%PIX-4-717031|%FWSM-4-717031; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000785; sid: 5000785; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Tunnel group search using certificate maps failed"; program: %ASA-4-717037|%PIX-4-717037; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000786; sid: 5000786; rev: 2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IP address end configuration {FAILED|OK}"; program: %ASA-5-111004|%PIX-5-111004|%FWSM-5-111004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000787; sid: 5000787; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-PIXASA] FTP cmd_string command unsupported - failed strict inspection"; program: %ASA-5-303004|%PIX-5-303004|%FWSM-5-303004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000788; sid: 5000788; rev: 4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-PIXASA] Access denied URL chars"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "http://"; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5000789; sid: 5000789; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Asymmetric NAT rules matched for forward and reverse flows [0/1]"; program: %ASA-5-305013|%PIX-5-305013|%FWSM-5-305013; threshold: type limit, track by_src, count 1, seconds 900; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000790; sid: 5000790; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP association failed to establish"; program: %ASA-5-334003|%PIX-5-334003|%FWSM-5-334003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000791; sid: 5000791; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] EAPoUDP failed to get a response from host"; program: %ASA-5-334006|%PIX-5-334006|%FWSM-5-334006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000792; sid: 5000792; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] HTTP - matched string in policy-map verification failed"; program: %ASA-5-415004|%PIX-5-415004|%FWSM-5-415004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000793; sid: 5000793; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad TCP hdr length - Possible network scan"; program: %ASA-5-500003|%PIX-5-500003|%FWSM-5-500003; parse_src_ip: 1; parse_dst_ip: 2; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000794; sid: 5000794; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE area failed to find centry for message"; program: %ASA-5-713010|%PIX-5-713010; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000796; sid: 5000796; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failure during phase 1 rekeying attempt due to collision"; program: %ASA-5-713092|%PIX-5-713092; parse_src_ip: 1; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000797; sid: 5000797; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Ignoring received malformed firewall record"; program: %ASA-5-713144|%PIX-5-713144|%FWSM-5-713144; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000798; sid: 5000798; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create peer failure, already at maximum of number of peers"; program: %ASA-5-718002|%PIX-5-718002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000800; sid: 5000800; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to send to IP"; program: %ASA-5-718005|%PIX-5-718005|%FWSM-5-718005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000801; sid: 5000801; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket open failure"; program: %ASA-5-718007|%PIX-5-718007|%FWSM-5-718007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000802; sid: 5000802; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Socket bind failure"; program: %ASA-5-718008|%PIX-5-718008|%FWSM-5-718008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000803; sid: 5000803; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO response failure"; program: %ASA-5-718009|%PIX-5-718008|%FWSM-5-718008; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000804; sid: 5000804; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send HELLO request failure"; program: %ASA-5-718011|%PIX-5-718011|%FWSM-5-718011; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000805; sid: 5000805; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send CFG UPDATE failure"; program: %ASA-5-718024|%PIX-5-718024|%FWSM-5-718024; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000806; sid: 5000806; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send OOS indicator failure"; program: %ASA-5-718028|%PIX-5-718028|%FWSM-5-718028; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000807; sid: 5000807; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send TOPOLOGY indicator failure"; program: %ASA-5-718033|%PIX-5-718033|%FWSM-5-718033; classtype: configuration-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5000808; sid: 5000808; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Create of secure tunnel failure"; program: %ASA-5-718048|%PIX-5-718048; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000809; sid: 5000809; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Delete of secure tunnel failure"; program: %ASA-5-718050|%PIX-5-718050; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000810; sid: 5000810; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Queue send failure from ISR"; program: %ASA-5-718057|%PIX-5-718057; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000811; sid: 5000811; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket select fail"; program: %ASA-5-718060|%PIX-5-718060|%FWSM-5-718060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000812; sid: 5000812; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Inbound socket read fail"; program: %ASA-5-718061|%PIX-5-718061|%FWSM-5-718061; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000813; sid: 5000813; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cannot continue to run"; program: %ASA-5-718065|%PIX-5-718065|%FWSM-5-718065; classtype: hardware-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000814; sid: 5000814; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create access list for peer"; program: %ASA-5-718074|%PIX-5-718074|%FWSM-5-718074; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000815; sid: 5000815; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create tunnel group for peer"; program: %ASA-5-718076|%PIX-5-718076; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000816; sid: 5000816; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete tunnel group for peer"; program: %ASA-5-718077|%PIX-5-718077; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000817; sid: 5000817; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto map for peer"; program: %ASA-5-718078|%PIX-5-718078; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000818; sid: 5000818; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto map for peer"; program: %ASA-5-718079|%PIX-5-718079; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000819; sid: 5000819; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create crypto policy for peer"; program: %ASA-5-718080|%PIX-5-718080; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000820; sid: 5000820; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete crypto policy for peer"; program: %ASA-5-718081|%PIX-5-718081; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000821; sid: 5000821; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to install LB NP rules"; program: %ASA-5-718086|%PIX-5-718086; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000822; sid: 5000822; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to delete LB NP rules"; program: %ASA-5-718087|%PIX-5-718087; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000823; sid: 5000823; rev: 2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny IP [0/5]"; program: %ASA-6-106012|%PIX-6-106012|%FWSM-6-106012; classtype: bad-unknown; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5000824; sid: 5000824; rev: 5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Deny TCP [no connection]"; program: %ASA-6-106015|%PIX-6-106015|%FWSM-6-106015; normalize: cisco; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000825; sid: 5000825; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA-6-106025|%PIX-6-106025|%FWSM-6-106025; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000826; sid: 5000826; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Failed to determine the security context"; program: %ASA-6-106026|%PIX-6-106026|%FWSM-6-106026; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000827; sid: 5000827; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] access-list ACL {permitted | denied | est-allowed} protocol"; program: %ASA-6-106100|%PIX-6-106100|%FWSM-6-106100; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000828; sid: 5000828; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [server failed] on interface"; program: %ASA-6-109002|%PIX-6-109002|%FWSM-6-109002; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000829; sid: 5000829; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Auth from inside to outside failed [all servers failed] on interface"; program: %ASA-6-109003|%PIX-6-109003|%FWSM-6-109002; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000830; sid: 5000830; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authentication failed for user [0/5]"; program: %ASA-6-109006|%PIX-6-109006|%FWSM-6-109006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000831; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000831; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization permitted for user"; program: %ASA-6-109007|%PIX-6-109007|%FWSM-6-109007; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000832; sid: 5000832; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user from outside to inside on interface"; program: %ASA-6-109008|%PIX-6-109008|%FWSM-6-109008; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000833; sid: 5000833; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied [not authenticated]"; program: %ASA-6-109024|%PIX-6-109024|%FWSM-6-109024; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000834; sid: 5000834; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization denied for user"; program: %ASA-6-109025|%PIX-6-109025|%FWSM-6-109025; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000835; sid: 5000835; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User user locked out on exceeding number successive failed authentication attempts"; program: %ASA-6-113006|%PIX-6-113006|%FWSM-6-113006; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000836; sid: 5000836; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA unable to complete the request"; program: %ASA-6-113013|%PIX-6-113013|%FWSM-6-113013; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000837; sid: 5000837; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] URL Server request failed URL"; program: %ASA-6-304004|%PIX-6-304004|%FWSM-6-304004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000838; sid: 5000838; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] RIP hdr failed"; program: %ASA-6-312001|%PIX-6-312001|%FWSM-6-312001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000839; sid: 5000839; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] No management IP address configured for transparent firewall"; program: %ASA-6-322004|%PIX-6-322004|%FWSM-6-322004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000840; sid: 5000840; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] NAC is disabled for host"; program: %ASA-6-335004|%PIX-6-335004|%FWSM-6-335004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000841; sid: 5000841; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Login denied [Brute Force] [10/1]"; program: %ASA-6-605004|%PIX-6-605004|%FWSM-6-605004; parse_src_ip: 1; parse_port; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000842; sid: 5000842; rev: 8;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Authorization failed"; program: %ASA-6-610101|%PIX-6-610101|%FWSM-6-610101; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000843; sid: 5000843; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed [0/5]"; program: %ASA-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000844; threshold: type limit, track by_src, count 5, seconds 300; sid: 5000844; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VNPClient XAUTH Failed"; program: %ASA-6-611311|%PIX-6-611311; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000845; sid: 5000845; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Secure Unit Authentication Disabled"; program: %ASA-6-611317|%PIX-6-611317; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000846; sid: 5000846; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient User Authentication Disabled"; program: %ASA-6-611319|%PIX-6-611319; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000847; sid: 5000847; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Device Pass Thru Disabled"; program: %ASA-6-611321|%PIX-6-611321; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000848; sid: 5000848; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] VPNClient Extended XAUTH conversation initiated when SUA disabled"; program: %ASA-6-611322|%PIX-6-611322; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000849; sid: 5000849; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Checksum Failure in database"; program: %ASA-6-613001|%PIX-6-613001|%FWSM-6-613001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000850; sid: 5000850; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number not available for firewall interface"; program: %ASA-6-615001|%PIX-6-615001|%FWSM-6-615001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000851; sid: 5000851; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] vlan number available for firewall interface"; program: %ASA-6-615002|%PIX-6-615002|%FWSM-6-615002; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000852; sid: 5000852; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Bad register"; program: %ASA-6-621007|%PIX-6-621007|%FWSM-6-621007; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000853; sid: 5000853; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to send an IKE packet from standby unit. Dropping the packet! [0/1]"; program: %ASA-6-713235|%PIX-6-713235|%FWSM-6-713235; type limit, track by_src, count 1, seconds 900; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000854; sid: 5000854; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Certificate received from Certificate Authority for trustpoint"; program: %ASA-6-717003|%PIX-6-717003|%FWSM-6-717003; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000855; sid: 5000855; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 export failed"; program: %ASA-6-717004|%PIX-6-717004|%FWSM-6-717004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000856; sid: 5000856; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] PKCS 12 import failed"; program: %ASA-6-717006|%PIX-6-717006|%FWSM-6-717006; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000857; sid: 5000857; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] uauth_lookup_net fail for uauth_in"; program: %ASA-7-109014|%PIX-7-109014|%FWSM-7-109014; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000858; sid: 5000858; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Uauth null proxy error"; program: %ASA-7-109021|%PIX-7-109021|%FWSM-7-109021; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000859; sid: 5000859; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send failure"; program: %ASA-7-713039|%PIX-7-713039|%FWSM-7-713039; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000861; sid: 5000861; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Cert validation failure handle invalid for Main/Aggressive Mode Initiator/Responder!"; program: %ASA-7-713094|%PIX-7-713094|%FWSM-7-713094; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000862; sid: 5000862; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Attempt to get Phase 1 ID data failed while hash computation"; program: %ASA-7-713104|%PIX-7-713104; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000863; sid: 5000863; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Processing firewall record"; program: %ASA-7-713143|%PIX-7-713143|%FWSM-7-713143; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000864; sid: 5000864; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Remote user has been granted access by the Firewall Server [Brute Force] [10/1]"; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; program: %ASA-7-713160|%PIX-7-713160|%FWSM-7-713160; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5000865; sid: 5000865; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] The Firewall Server has requested a list of active user sessions"; program: %ASA-7-713164|%PIX-7-713164|%FWSM-7-713164; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000866; sid: 5000866; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Got bad refCnt assigning"; program: %ASA-7-713190|%PIX-7-713190|%FWSM-7-713190; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000867; sid: 5000867; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine Q Send failure RetCode"; program: %ASA-7-715004|%PIX-7-715004|%FWSM-7-715004; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000868; sid: 5000868; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] subroutine name Bad message code Cod"; program: %ASA-7-715005|%PIX-7-715005|%FWSM-7-715005; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000869; sid: 5000869; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE received response to a request from the utility"; program: %ASA-7-715042|%PIX-7-715042; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000870; sid: 5000870; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] ERROR malformed Keepalive payload"; program: %ASA-7-715045|%PIX-7-715045|%FWSM-7-715045; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000871; sid: 5000871; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Claims to be IOS but failed authentication"; program: %ASA-7-715050|%PIX-7-715050|%FWSM-7-715050; classtype: misc-attack; reference: url, wiki.quadrantsec.com/bin/view/Main/5000872; sid: 5000872; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Dropped received IKE fragment"; program: %ASA-7-715060|%PIX-7-715060|%FWSM-7-715060; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000873; sid: 5000873; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Error assembling fragments! Fragment numbers are non-continuous"; program: %ASA-7-715062|%PIX-7-715062|%FWSM-7-715062; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000874; sid: 5000874; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] IKE state_machine subtype FSM error history"; program: %ASA-7-715065|%PIX-7-715065|%FWSM-7-715065; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000875; sid: 5000875; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Internal interprocess communication queue send failure"; program: %ASA-7-718001|%PIX-7-718001|%FWSM-7-718001; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000876; sid: 5000876; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE request failure"; program: %ASA-7-718018|%PIX-7-718018|%FWSM-7-718018; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000877; sid: 5000877; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Send KEEPALIVE response failure"; program: %ASA-7-718020|%PIX-7-718020|%FWSM-7-718020; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000878; sid: 5000878; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Fail to create group"; program: %ASA-7-718047|%PIX-7-718047|%FWSM-7-718047; classtype: bad-unknown; reference: url, wiki.quadrantsec.com/bin/view/Main/5000879; sid: 5000879; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Creation of group policy"; program: %ASA-7-718046|%PIX-7-718046|%FWSM-7-718046; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000880; sid: 5000880; rev: 3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-PIXASA] Access denied URL"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-7-304002; content: "http://"; classtype: policy-violation; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001086; sid: 5001086; rev: 4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication successful [0/5]"; program: %ASA-6-113004|%PIX-6-113004|%FWSM-6-113004; classtype: successful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001087; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001087; rev: 6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject [0/5]"; program: %ASA-6-113005|%PIX-6-113005|%FWSM-6-113005; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001092; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; sid: 5001092; rev: 5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] AAA user authentication Reject - Brute force [10/1]"; program: %ASA-6-113005|%PIX-6-113005|%FWSM-6-113005; classtype: unsuccessful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001593; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; sid: 5001593; rev: 6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] Disconnect by SSH server"; program: %ASA-6-315011|%PIX-6-315011|%FWSM-6-315011; classtype: system-event; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001088; sid: 5001088; rev: 2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] Access denied URL chars - HTTPS"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; classtype: policy-violation; reference: url, wiki.quadrantsec.com/bin/view/Main/5001089; sid: 5001089; rev: 3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] Access denied URL - HTTPS"; program: %ASA-5-304002|%PIX-5-304002|%FWSM-5-304002; content: "https://"; classtype: policy-violation; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5001091; sid: 5001091; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] User authentication failed - Brute force [5/1]"; program: %ASA-6-611102|%PIX-6-611102|%FWSM-6-610102; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001654; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 5, seconds 300; sid: 5001654; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL - Brute force [25/1]"; program: %ASA-3-710003; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001714; normalize: cisco; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 1, seconds 86400; after: track by_src, count 25, seconds 300; sid: 5001714; rev: 5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-PIXASA] TCP access denied by ACL"; program: %ASA-3-710003; classtype: unsuccessful-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001715; parse_src_ip: 1; parse_dst_ip: 2; parse_port; sid: 5001715; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-PIXASA] WebVPN console/admin failed"; program: %ASA-3-113021; classtype: unsuccessful-admin; reference: url, wiki.quadrantsec.com/bin/view/Main/5001963; sid: 5001963; rev: 1;) rules/cisco-normalize.rulebase0000664000175000017500000002054412612177151016006 0ustar champchamp# Sagan cisco-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # # 1w3d: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 192.168.0.1 rule=: %uptime:word% %authfail:word% Authentication failure for SNMP req from host %src-ip:ipv4% # Dec 26 19:59:26: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.1.128.27 rule=: %month:word% %day:word% %hour:word% %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% # Access denied URL http://www.example.com/somethings.txt SRC 192.168.0.1 DEST 10.10.10.10 on interface inside rule=: Access denied URL %url:word% SRC %src-ip:ipv4% DEST %dst-ip:ipv4% %-:rest% # Caused by WebVPN or IPSec # AAA user authentication Successful : server = 10.10.10.10 : user = domain\bob rule=: AAA user authentication Successful : server = %ip-src:ipv4% : user = %username:word% rule=: AAA user authentication Rejected : reason = AAA failure : server = %src-ip:ipv4% : user = %username:word% # User authentication failed: Uname: timothy rule=: User authentication failed: Uname: %username:word% # Space at the end of this line! # %ASA-6-315011: SSH session from 192.168.0.1 on interface Outside2 for user "test" disconnected by SSH server, reason: "Internal error" (0x00) # SSH session from 10.20.10.200 on interface Outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00) rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest% rule=: Configured from console by %-:word% (%src-ip:ipv4%) rule=: Authentication failure for %proto:word% req from host %src-ip:ipv4% rule=: Attempted to connect to %username:word% from %src-ip:ipv4% # 02:19:47.007 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.10.10.10 # rule=: %-:word% %-:word% %-:word% %-:word% %%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4% # Deny TCP (no connection) from perforce/139 to 192.168.73.1/2048 flags RST ACK on interface INSIDE # rule=: Deny %proto:word% (no connection) from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% flags %-:rest% # Mar 31 02:30:42.815 UTC: %SYS-5-CONFIG_I: Configured from console by sachen on vty0 (10.32.23.63) # rule=: %-:word% %-:word% %-:word% %-:word% %%SYS-5-CONFIG_I: Configured from console by %username:word% on %-:word% (%src-ip:ipv4%) # Deny inbound UDP from 46.161.166.49/63905 to 214.20.10.211/65257 on interface OUTSIDE # rule=: Deny inbound UDP from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% %-:rest% # Denied ICMP type=8, code=0 from 159.101.118.111 on interface INSIDE # rule=: Denied ICMP type=%-:number%, code=%-:number% from %src-ip:ipv4% %-:rest% # These cover a lot of WebVPN, etc rules. # # Group User IP <10.10.10.10> WebVPN session terminated: User Requested. # Group User IP <10.10.10.10> WebVPN session terminated: Idle Timeout. # Group User IP <10.10.10.10> SVC closing connection: Transport closing. # Group User IP <10.10.10.10> SVC Message: 17/ERROR: Reconnecting to recover from error.. # rule=: Group <%-:char-to:\x3e%> User <%username:char-to:\x3e%> IP <%src-ip:char-to:\x3e%> %-:rest% # Teardown UDP connection 31929471 for inside:10.10.10.10/1111 to dmz:239.254.0.4/12224 duration 0:00:00 bytes 0 # Teardown TCP connection 1829067148 for outside:10.10.10.10/443 to inside:192.168.1.1/10830 duration 0:03:04 bytes 8699 TCP FINs" rule=: Teardown %proto:word% connection %connection:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Teardown ICMP connection for faddr 10.10.10.10/0 gaddr 192.168.1.1/10000 laddr 192.168.1.1/100001 rule=: Teardown %proto:word% connection for %-:word% %src-ip:ipv4%/%src-port:number% %-:word% %dst-ip:ipv4%/28694 %-:rest% # access-list inside_egress permitted tcp inside/10.10.10.1(10000) -> outside/192.186.1.1(80) hit-cnt 1 first hit [0xf83f456b, 0x0] rule=: access-list %-:word% permitted %proto:word% %-:char-to:\x2f%/%src-ip:ipv4%(%src-port:number%) -> %-:char-to:\x2f%/%dst-ip:ipv4%(%dst-port:number%) %-:rest% # Built inbound TCP connection 3171137 for outside:10.10.10.10/10000 (10.10.10.10/10000)(DOMAIN\Bob) to inside:192.168.1.10/80 (192.168.1.1/80) (Bob) rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% (%-:ipv4%/58521)(%domain:char-to:\x5c%\%username:char-to:\x29%) to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Built inbound TCP connection 1834111354 for outside:10.10.10.10/28490 (10.10.10.10/28490) to dmz:192.168.1.1/80 (192.168.1.1/80) rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% %-:word% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Group = Employee, Username = bob, IP = 10.10.10.10, Error processing payload: Payload ID: 14 rule=: Group = %-:word%, Username = %username:word%, IP = %src-ip:ipv4%, %-:rest% rule=: Group = %-:char-to:\x2c%, Username = %username:char-to:\x2c%, IP = %src-ip:ipv4%, %-:rest% # FTP connection from inside:10.10.1.1/3789 to outside:12.12.12.12/21, user bob Retrieved file somefile.txt rule=: FTP connection from %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number%, user %username:word% %-:rest% # TCP access denied by ACL from 10.10.10.10/28490 to inside:192.168.1.1/80 rule =: TCP access denied by ACL from %src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% # Teardown TCP connection 361112504 for outside:10.10.1.100/61160(LOCAL\Bob) to inside:12.159.2.124/443 duration 0:00:13 bytes 3216 TCP FINs (Bob) rule=: Teardown %proto:word% connection %-:number% for outside:%src-ip:ipv4%/%src-port:number%%-:word% to inside:%dst-ip:ipv4%/%dst-port:number% %-:rest% # Cisco ACS normalization rule=: %-:word% %-:number% %-:number% %-:word% %-:word% %-:word% %-:word% %-:word% NOTICE Failed-Attempt: Authentication failed, ACSVersion=%-:word% ConfigVersionId=%-:word% Device IP Address=%src-ip:char-to:\x2c%, Device Port=%src-port:char-to:\x2c%, UserName=%username:char-to:\x2c%, Protocol=%-:word% RequestLatency=%-:word% NetworkDeviceName=%-:word% Type=Authentication, Action=Login, Privilege-Level=%-:word% Authen-Type=%-:word% Service=Login, User=%-:word% Port=%-:word% Remote-Address=%dst-ip:char-to:\x2c%, %-:rest% rules/vmware.rules0000664000175000017500000001303312612177151013534 0ustar champchamp# Sagan vmware.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # VMWare ESX #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; pcre: "/Accepted password for|login from/i"; classtype: successful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000204; sid: 5000204; rev:1;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure - Brute force [5/5]"; content: "Rejected password for"; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000206; sid: 5000206; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User authentication failure"; content: "Rejected password for"; classtype: unsuccessful-admin; program: vmware-hostd|vmware-authd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001529; sid: 5001529; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to OFF"; content: "VM_STATE_OFF"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000208; sid: 5000208; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being turned ON"; content: "VM_STATE_POWERING_ON"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000380; sid: 5000380; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine state change to ON"; content: "VM_STATE_ON"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000209; sid: 5000209; rev:1; ) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Virtual machine being reconfigured"; content: "VM_STATE_RECONFIGURING"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000210; sid: 5000210; rev:1; ) # VMWare ESXi 4.1 (Champ Clark III 06/02/2011) # # Jun 3 01:23:12 10.10.10.10 Hostd: [2011-06-03 01:23:12.139 2351BB90 info 'ha-eventmgr' opID=58D44130-00000003] Event 285 : User root@10.10.10.1 logged in # Jun 3 01:23:20 10.10.10.10 Hostd: [2011-06-03 01:23:20.106 2351BB90 info 'ha-eventmgr' opID=58D44130-00000030] Event 286 : User root logged out #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; content: " logged in "; classtype: successful-admin; parse_src_ip: 1; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001097; sid: 5001097; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User logoff successful"; content: " logged out "; classtype: successful-admin; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001098; sid: 5001098; rev:2;) # vmware - 10/11/2011 - Champ Clark #2012-01-30T17:51:04.722Z [24C79B90 info 'ha-eventmgr'] Event 36 : User root logged out #2012-01-30T17:51:04.919Z [24C79B90 info 'Vimsvc'] [Auth]: User root #2012-01-30T17:51:04.920Z [24C79B90 info 'ha-eventmgr'] Event 37 : User root@192.168.1.1 logged in #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Lost access to volume"; content: "Event 37 : "; classtype: hardware-event; program: Hostd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001098; sid: 5001099; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] Possible HD/Datastore failure"; content: ": 1672: "; classtype: hardware-event; program: vmkernel; reference: url,wiki.quadrantsec.com/bin/view/Main/5001100; sid: 5001100; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[VMWARE] User login successful"; content: "Accepted password"; classtype: successful-admin; program: Hostd; normalize: vmware; reference: url,wiki.quadrantsec.com/bin/view/Main/5001101; sid: 5001101; rev:1;) rules/wordpress.rules0000664000175000017500000000660612612177151014273 0ustar champchamp# Sagan wordpress.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[WORDPRESS] - Wordpress authentication failed"; content: "User authentication failed"; classtype: unsuccessful-user; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000198; sid: 5000198; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[WORDPRESS] - Wordpress authentication succeeded"; content: "User logged in"; classtype: successful-user; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000199; sid: 5000199; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[WORDPRESS] - Wordpress WPsyslog was successfully initialized"; content: "WPsyslog was successfully init"; classtype: system-event; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000200; sid: 5000200; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[WORDPRESS] - Wordpress WPsyslog Plugin deactivated"; content: "Plugin deactivated"; classtype: system-event; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000201; sid: 5000201; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[WORDPRESS] - Wordpress Wordpress Comment Flood Attempt"; content: "Comment flood attempt"; classtype: attempted-dos; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000202; sid: 5000202; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[WORDPRESS] - Attack against Wordpress detected"; content: "Warning"; content: "IDS"; classtype: misc-attack; program: WPsyslog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000203; sid: 5000203; rev:2;) rules/weblabrinth.rules0000664000175000017500000000471612612177151014544 0ustar champchamp# Sagan weblabrinth.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Detect Weblabrinth traffic. See Ben Jackson's https://code.google.com/p/weblabyrinth/ # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[MISC] Weblabyrinth - New host logged!"; classtype: misc-activity; program: weblabyrinth; content: "New host logged!"; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001093; sid: 5001093; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT0 (msg:"[MISC] Weblabyrinth - Crawler Ensnared!"; classtype: misc-activity; program: weblabyrinth; content: "Crawler Ensnared!"; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001095; sid: 5001095; rev:2;) rules/windows-misc.rules0000664000175000017500000005200712612177151014662 0ustar champchamp# Sagan windows-misc.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows based rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Detection of net listening application [0/5]"; pcre: "/ 861: | 5154: /"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000306; sid: 5000306; rev:6;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Privileged Service Called"; pcre: "/ 577: | 4673: /"; classtype: successful-admin; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5000307; sid: 5000307; rev:5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Apple Bonjour service detect [iTunes installed?]"; classtype: policy-violation; program: Bonjour; reference: url,wiki.quadrantsec.com/bin/view/Main/5000308; sid: 5000308; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application error"; content: " 1001|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000309; sid: 5000309; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application hang"; content: " 1002|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000310; sid: 5000310; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application popup"; content: " 333|3a| "; classtype: program-error; program: Application; reference: url,wiki.quadrantsec.com/bin/view/Main/5000311; sid: 5000311; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SCSI bug fault occurred"; content: "SCSI bus fault"; classtype: hardware-event; program: CPQCISSE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000316; sid: 5000316; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job completed with exceptions"; content: " 57755|3a| "; classtype: program-error; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000312; sid: 5000312; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Job cancellation"; content: " 34114|3a| "; classtype: program-error; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000313; sid: 5000313; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Alert - insert media"; content: " 58061|3a| "; classtype: hardware-event; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000314; sid: 5000314; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Backup Exec - Service started"; content: " 57996|3a| "; classtype: system-event; program: Backup; reference: url,wiki.quadrantsec.com/bin/view/Main/5000315; sid: 5000315; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Citrix message"; classtype: system-event; program: Citrix; reference: url,wiki.quadrantsec.com/bin/view/Main/5000317; sid: 5000317; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Trusted Platform Module [TPM] Error. User name not found"; content: " 17150|3a| "; classtype: unsuccessful-user; program: DAC; reference: url,wiki.quadrantsec.com/bin/view/Main/5000318; sid: 5000318; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was corrupted"; content: "was corrupted"; classtype: program-error; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000319; sid: 5000319; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service was stopped"; content: "Service Stopped"; classtype: system-event; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000320; sid: 5000320; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service returned error"; content: "returned error"; classtype: program-error; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000322; sid: 5000322; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Eventlog service reporting uptime [in seconds]"; content: "The system uptime"; classtype: not-suspicious; program: Eventlog; reference: url,wiki.quadrantsec.com/bin/view/Main/5000323; sid: 5000323; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] IPSec message"; classtype: not-suspicious; program: IPSec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000324; sid: 5000324; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] LSASRV - Could not establish a secure connection"; content: " 40961|3a| "; classtype: network-event; program: LSASRV; reference: url,wiki.quadrantsec.com/bin/view/Main/5000381; sid: 5000381; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server started"; content: "Microsoft SQL Server"; classtype: system-event; program: MSSQLSERVER; reference: url,wiki.quadrantsec.com/bin/view/Main/5000325; sid: 5000325; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MISC] MS-SQL - Server listening on network"; content: "SQL server listening"; classtype: network-event; program: MSSQLSERVER; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000326; sid: 5000326; rev:5;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully installed software"; content: "installed successfully"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000327; sid: 5000327; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar installed"; content: "Google Toolbar"; content: "installed successfully"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000328; sid: 5000328; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Toolbar"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000329; sid: 5000329; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Google Toolbar updated"; content: "Google Update Helper"; content: "Update"; nocase; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000331; sid: 5000331; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - RegWork - Registry clearner"; content: "RegWork"; content: "Product"; classtype: policy-violation; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000330; sid: 5000330; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MsiInstaller - Client successfully updated software"; content: "Update"; nocase; classtype: not-suspicious; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5000332; sid: 5000332; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] NtServicePack messsage - package or hotfix installed"; content: "was installed"; classtype: not-suspicious; program: NtServicePack; reference: url,wiki.quadrantsec.com/bin/view/Main/5000334; sid: 5000334; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] SNMP Service has started successfully"; content: " 1001|3a| ""; classtype: system-event; program: SNMP; reference: url,wiki.quadrantsec.com/bin/view/Main/5000335; sid: 5000335; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google Software Updater service is active"; content: "Google Software Updater service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000336; sid: 5000336; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000337; sid: 5000337; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Google update service is active"; content: "Google Update Service"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000338; sid: 5000338; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus service is active [pen-test tool]"; content: "Tenable Nessus"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000339; sid: 5000339; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Remote Access Connection Manager service is active"; content: "Remote Access Connection Manager"; classtype: network-event; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000340; sid: 5000340; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Bonjour service is active [iTunes installed?]"; content: "Bonjour"; classtype: policy-violation; program: Service; reference: url,wiki.quadrantsec.com/bin/view/Main/5000382; sid: 5000382; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus startup successful"; content: "startup was successful"; classtype: system-event; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000341; sid: 5000341; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus couldn't scan some files or directories"; content: "Could not scan"; classtype: program-error; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000342; sid: 5000342; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus New virus definition file loaded"; content: "New virus definition file loaded"; classtype: not-suspicious; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000343; sid: 5000343; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Symantec AntiVirus Successful remote connect by administrator"; content: "with Admin role"; content: "User"; content: "connected from"; classtype: successful-admin; program: Symantec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000344; sid: 5000344; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Tenable Nessus started [pen-test tool]"; content: "started successfully"; classtype: suspicious-traffic; program: Tenable; reference: url,wiki.quadrantsec.com/bin/view/Main/5000345; sid: 5000345; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] WinRM [Windows Remote Management] is started and listening"; content: " 10148|3a| "; classtype: network-event; program: WinRM; reference: url,wiki.quadrantsec.com/bin/view/Main/5000346; sid: 5000346; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection accepted"; content: "Connections"; content: "accepted"; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000347; sid: 5000347; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection closed - Requested security type not available"; content: "Requested security type not available"; content: "closed"; classtype: suspicious-traffic; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000348; sid: 5000348; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection blacklisted"; content: "blacklisted"; content: "Connections"; classtype: suspicious-traffic; parse_src_ip: 1; parse_port; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000349; sid: 5000349; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000350; sid: 5000350; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer"; content: "Connection reset by peer"; content: "closed"; parse_src_ip: 1; parse_port; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000351; sid: 5000351; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reset by peer [Non-shared]"; content: "Non-shared connection requested"; content: "closed"; parse_src_ip: 1; parse_port; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000352; sid: 5000352; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection close - reading version failed"; content: "reading version failed"; content: "closed"; parse_src_ip: 1; parse_port; classtype: suspicious-traffic; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000353; sid: 5000353; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 Connection closed"; content: "Clean disconnection"; content: "closed"; parse_src_ip: 1; parse_port; classtype: not-suspicious; program: WinVNC4; reference: url,wiki.quadrantsec.com/bin/view/Main/5000354; sid: 5000354; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg: "[WINDOWS-MISC] WinVNC4 HTTPServer event"; content: "HTTPServer"; classtype: network-event; program: WinVNC4; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000355; sid: 5000355; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Crypt32 Failed to extract third-party root list"; content: " 4107|3a| "; classtype: program-error; program: crypt32; reference: url,wiki.quadrantsec.com/bin/view/Main/5000356; sid: 5000356; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Disk corruption [0/2]"; content: " 55|3a| "; classtype: hardware-event; program: Ntfs; threshold:type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001056; sid: 5001056; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] MSSQLServer I/O error"; content: " 823|3a| "; classtype: hardware-event; program: Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001096; sid: 5001096; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application uninstall"; content: " 11724|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001182; sid: 5001182; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Application install"; content: " 11707|3a| "; classtype: program-error; program: MsiInstaller; reference: url,wiki.quadrantsec.com/bin/view/Main/5001183; sid: 5001183; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows is shutting down"; pcre: "/ 513: | 4609: /"; classtype: program-error; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001184; sid: 5001184; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] File system full"; content: " 13570|3a| "; classtype: program-error; program: NtFrs|Ntfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5001191; sid: 5001191; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] System time has changed"; pcre: "/ 520: | 4616: /"; content:!"|3a|\Program Files\VMware\VMware Tools\vmtoolsd.exe"; classtype: program-error; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001194; sid: 5001194; rev:6;) # DHCP-Server| 1063: There are no IP addresses available for lease in the scope or superscope "VLAN_311_Example". # DHCP-Server| 1020: Scope, 10.100.1.0, is 97 percent full with only 2 IP addresses remaining. #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is almost full"; content: " 1020|3a| "; classtype: network-event; program: DHCP-Server; threshold: type limit, track by_src, count 1, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5001649; sid: 5001649; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope is FULL"; content: "100 percent full"; content: " 1020|3a| "; classtype: network-event; program: DHCP-Server; threshold: type limit, track by_src, count 1, seconds 900; reference: url,wiki.quadrantsec.com/bin/view/Main/5001716; sid: 5001716; rev:4;) # BAD RULE BELOW #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] DHCP Scope if full. No IP addresses left"; content: " 5001650|3a| "; classtype: network-event; program: DHCP-Server; reference: url,wiki.quadrantsec.com/bin/view/Main/5001650; sid: 5001650; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Windows audit log was cleared"; pcre: "/ 517: | 1102: /"; classtype: system-event; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001185; sid: 5001185; rev:4;) # Brian Echeverry - 05/07/2015 # SID 5002272 and 5002273 are noisy. #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was modified"; content: " 5136|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002272; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was created"; content: " 5137|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002273; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was undeleted"; content: " 5138|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002274; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS] A directory service object was moved"; content: " 5139|3a| "; classtype: configuration-change; program: Security|Security-Auditing|EvntSLog; sid:5002275; rev:1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-MISC] System shutdown [FLOWBIT SET]"; content: " 1074|3a| "; program: USER32; flowbits: set, reboot.windows, 60; flowbits: noalert; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002014; sid: 5002014; rev:6;) # Added by Brian Echeverry (09/22/2015) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Microsoft Antimalware has encountered an error trying to update signatures"; program: Microsoft_Antimalware; content: " 2001|3A| "; reference: url,wiki.quadrantsec.com/bin/view/Main/5002392; threshold: type limit, track by_src, count 1, seconds 86400; classtype: program-error; sid:5002392; rev:1;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MISC] Unable to log events to security log"; content: " 521|3a| "; classtype: program-error; program: Security|Security-Auditing; reference: url,wiki.quadrantsec.com/bin/view/Main/5002564; sid:5002564; rev:1;) rules/windows-applocker.rules0000664000175000017500000001161712612177151015711 0ustar champchamp# Sagan windows-applocker.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows Applocker rules. # # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ # # Rules converted from https://github.com/tcw3bb/ISC_Posts/blob/master/OSSEC_AppLocker_Local_Rule.xml # Champ Clark (08/19/2014) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Allowed program to execute"; content: " 8003|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002090; sid:5002090; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Application blocked"; content: " 8004|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002091; sid:5002091; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Allowed an MSI or script to execute"; content: " 8005|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002092; sid:5002092; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Allowed MSI/Script, but would have blocked"; content: " 8006|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002093; sid:5002093; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Prevent MSI/Script to execute"; content: " 8007|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002094; sid:5002094; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application allowed"; content: " 8020|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002095; sid:5002095; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application audited"; content: " 8021|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002096; sid:5002096; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application disabled"; content: " 8022|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002097; sid:5002097; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application installation allowed"; content: " 8023|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002098; sid:5002098; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application installation audited"; content: " 8024|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002099; sid:5002099; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-APPLOCKER] Package application installation disabled"; content: " 8025|3a| "; classtype: suspicious-command; program: AppLocker; reference: url,wiki.quadrantsec.com/bin/view/Main/5002100; sid:5002100; rev:1;) rules/nexpose.rules0000664000175000017500000000502012612177151013711 0ustar champchamp# Sagan nexpose.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Brian Echeverry - NeXpose rules (security scanning software) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan paused"; content: "SCAN PAUSED|3a|"; classtype: program-error; program: NeXpose; reference: url,wiki.quadrantsec.com/bin/view/Main/5002276; sid:5002276; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan failed"; content: "SCAN FAILED|3a|"; classtype: program-error; program: NeXpose; reference: url,wiki.quadrantsec.com/bin/view/Main/5002277; sid:5002277; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NeXpose] Scan stopped"; content: "SCAN STOPPED|3a|"; classtype: program-error; program: NeXpose; reference: url,wiki.quadrantsec.com/bin/view/Main/5002289; sid:5002289; rev:1;) rules/windows-brointel.rules0000664000175000017500000010423312612177151015544 0ustar champchamp# Sagan windows-brointel.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ************************************************************* # Windows bro-intel rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BROINTEL] RDP / Logon type 10 from a Bro Intel listed IP"; program: Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; bro-intel: by_src; program: Security*; parse_src_ip: 1; normalize: windows; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002224; sid: 5002224; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [0/5]"; program: Security*; content: " 529|3a| "; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002225; sid: 5002225; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; reference: url,wiki.quadrantsec.com/bin/view/Main/5002226; sid: 5002226; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002227; sid: 5002227; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002228; sid: 5002228; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002229; sid: 5002229; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure - Account locked from a Bro Intel listed IP [0/5]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; bro-intel: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize: windows; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002230; sid: 5002230; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Logon Failure from a Bro Intel listed IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: Security*; bro-intel: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002231; sid: 5002231; rev:1;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; bro-intel: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002563; sid:5002563; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002562; sid:5002562; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002404; sid:5002404; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002405; sid: 5002405; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002406; sid: 5002406; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002407; sid: 5002407; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Login failure from a Bro Intel listed IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002408; sid: 5002408; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002409; sid: 5002409; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002410; sid: 5002410; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002411; sid: 5002411; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002412; sid: 5002412; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002413; sid: 5002413; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002414; sid: 5002414; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002415; sid: 5002415; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002416; sid: 5002416; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002417; sid: 5002417; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002418; sid: 5002418; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002419; sid: 5002419; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002420; sid: 5002420; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002421; sid: 5002421; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002422; sid: 5002422; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002423; sid: 5002423; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002424; sid: 5002424; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002425; sid: 5002425; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002426; sid: 5002426; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002427; sid: 5002427; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002428; sid: 5002428; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002429; sid: 5002429; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002430; sid: 5002430; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002431; sid: 5002431; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002432; sid: 5002432; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002433; sid: 5002433; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002434; sid: 5002434; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002435; sid: 5002435; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002436; sid: 5002436; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002437; sid: 5002437; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002438; sid: 5002438; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002439; sid: 5002439; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002440; sid: 5002440; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002441; sid: 5002441; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002442; sid: 5002442; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002443; sid: 5002443; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002444; sid: 5002444; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002445; sid: 5002445; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002446; sid: 5002446; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002447; sid: 5002447; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002448; sid: 5002448; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002449; sid: 5002449; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002450; sid: 5002450; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002451; sid: 5002451; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002452; sid: 5002452; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002453; sid: 5002453; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BROINTEL] Windows DC Login failure from a Bro Intel listed IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; bro-intel: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002454; sid: 5002454; rev:1;) rules/imap-normalize.rulebase0000664000175000017500000000435112612177151015632 0ustar champchamp# Sagan imap-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule= Logout user=%username:word% host=%-:word% [%src-ip:ipv4%] rule=: Login excessive login failures user=%username:word% auth=%-:word% host=%-t:word% [%src-ip:ipv4]] rule=: Login failed user=%username:word% auth=%-:word% host=%-:word% [%src-ip:ipv4%] rule=: authentication failure; logname= uid=%-:word% euid=%-:word% tty=%-:word% ruser=%-:word% rhost=%src-ip:ipv4% user=%username:word% rules/su-normalize.rulebase0000664000175000017500000000404112612177151015327 0ustar champchamp# Sagan su-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: Successful su for %-:word% by %username:word% rule=: pam_unix(sudo:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% %-:word% ruser= rhost= user=%username:word% rules/nfcapd-normalize.rulebase0000664000175000017500000000427212612177151016141 0ustar champchamp# Sagan nfcapd-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # # source_ip: 10.1.1.1/54630, destination_ip: 12.159.2.100/13620, protocol: TCP, duration: 0.204, flags: |.A..S.|, tos: 0, packets: 2, bytes: 92, last_time: 2015-06-04 18:29:58, reported by 10.5.1.1 rule=: source_ip: %src-ip:ipv4%/%src-port:number%, destination_ip: %dst-ip:ipv4%/%dst-port:number%, protocol: %proto:char-to:\x2c%, %-:rest% rules/cisco-brointel.rules0000664000175000017500000001107512612177151015153 0ustar champchamp# Sagan cisco-blacklist.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # For log examples, see cisco-geoip.rules. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN Login from Bro Intel IP"; program: %ASA-6-716038; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002250; sid: 5002250; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Console login from Bro Intel IP"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002251 sid: 5002251; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] Login permitted from Bro Intel IP"; program: %ASA-6-605005; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002252; sid: 5002252; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] WebVPN login from Bro Intel IP"; program: %ASA-6-716001; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002253; sid: 5002253; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN disconnect from Bro Intel IP"; program: %ASA-4-113019; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002254; sid: 5002254; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP"; program: %ASA-6-734001; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002255; sid: 5002255; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] ACS Login success from Bro Intel IP"; program: CisACS_01_PassedAuth; bro-intel: by_src; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002256; sid: 5002256; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] VPN login from Bro Intel IP [2]"; program: %ASA-6-722022|%ASA-6-722023; bro-intel: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002257; sid: 5002257; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA-6-303002; bro-intel: by_src; classtype: successful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002258; sid: 5002258; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BROINTEL] FTP file transfer from Bro Intel IP"; program: %ASA-6-303002; bro-intel: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002259; sid: 5002259; rev: 1;) rules/courier.rules0000664000175000017500000001020212612177151013676 0ustar champchamp# Sagan courier.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Connection established"; content: "Connection,"; classtype: not-suspicious; program: courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000258; sid:5000258; rev:1;) # Sep 24 12:29:52 bundy imapd: LOGIN FAILED, user=champtest, ip=[::ffff:10.0.0.1] alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Authentication failure"; content: "LOGIN FAILED,"; parse_src_ip: 1; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000259; sid:5000259; rev:3;) # Sep 23 07:29:40 bundy imapd-ssl: DISCONNECTED, user=champ, ip=[::ffff:10.0.0.1], headers=0, body=0, rcvd=70, sent=576, time=4, starttls=1 # Sep 24 07:14:17 bundy imapd-ssl: LOGOUT, user=champ, ip=[::ffff:10.0.0.1], headers=0, body=0, rcvd=1011, sent=9534, time=5, starttls=1 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Logout/disconnect"; pcre: "/LOGOUT|DISCONNECTED/"; classtype: not-suspicious; parse_src_ip: 1; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000260; sid:5000260; rev:3;) # May 24 16:03:15 bundy imapd-ssl: LOGIN, user=champ, ip=[::ffff:10.0.0.1], port=[45018], protocol=IMAP #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] User login"; content: "LOGIN,"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5000261; sid:5000261; rev:2;) # May 24 16:44:21 bundy imapd-ssl: TIMEOUT, user=champ, ip=[::ffff:10.0.0.1], headers=104, body=19823, rcvd=474, sent=22380, time=2466, starttls=1 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Timeout"; content: "TIMEOUT"; parse_src_ip: 1;classtype: successful-user; program: imapd|imapd-ssl|courierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002393; sid:5002393; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[COURIER] Authentication failure - Brute Force [5/5]"; content: "LOGIN FAILED,"; parse_src_ip: 1; flowbits: set,brute_force,86400;; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-user; program: imapd|imapd-sslcourierlogger; reference: url,wiki.quadrantsec.com/bin/view/Main/5002398; sid:5002398; rev:1;) rules/bluedot.rules0000664000175000017500000000450012612177151013670 0ustar champchamp# Sagan bluedot.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # These are CATCH ALL rules. This means it will parse _all_ logs. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BLUEDOT] Suspicious IP detected via Bluedot"; bluedot: reputation, all, $BLUEDOT_NETWORK; content:!"drop"; nocase; content:!"denied"; nocase; content:!"deny"; nocase; content:!"qipapikey"; classtype: suspicious-traffic; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 2, seconds 3600; parse_src_ip: 1; parse_dst_ip: 2; normalize: all; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002288; sid:5002288; rev:4;) rules/windows.rules0000664000175000017500000000057312612177151013732 0ustar champchamp# Sagan windows.rules # README * README * README * README * README * README * README * README # ---------------------------------------------------------------------------- # # The "windows.rules" has been broken up into multiple rule sets. Please # see the windows*.rules for more information # # ---------------------------------------------------------------------------- rules/openvpn.rules0000664000175000017500000000535012612177151013723 0ustar champchamp# Sagan openvpn.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # OpenVPN rules. Created by Robert Nunley (rnunley@quadrantsec.com) # 03/11/2013 alert udp $EXTERNAL_NET any -> $HOME_NET $OPENVPN_PORT (msg:"[OPENVPN] Authentication failure [0/5]"; content: "Decrypt packet error"; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001651; program: openvpn; threshold:type limit, track by_src, count 5, seconds 300; sid: 5001651; rev:2;) #alert udp $EXTERNAL_NET any -> $HOME_NET $OPENVPN_PORT (msg:"[OPENVPN] Authentication success"; content: "Initialization Sequence Completed"; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001652; program: openvpn; sid: 5001652; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET $OPENVPN_PORT (msg:"[OPENVPN] Unencrypted VPN connection initiated"; content: "tunnelled as cleartext"; parse_src_ip: 1; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001653; program: openvpn; sid: 5001653; rev:2;) rules/openssh.rules0000664000175000017500000004006712612177151013721 0ustar champchamp# Sagan openssh.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # Failed password for root from 109.70.148.243 port 17298 ssh2 drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [5/5]"; content: "Authentication failure"; flowbits: set,brute_force, 86400; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000015; normalize: openssh; program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; sid: 5000015; rev:9;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [10/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001634; sid: 5001634; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [20/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001635; sid: 5001635; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [30/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001636; sid: 5001636; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [40/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001637; sid: 5001637; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [50/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001638; sid: 5001638; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure - Brute force [100/5]"; content: "Authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; normalize: openssh; program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001639; sid: 5001639; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] PAM Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001523; normalize: openssh; program: sshd; sid: 5001523; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/1]"; content: "authentication failure"; flowbits: set, brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000016; sid: 5000016; rev:10;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [10/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001628; sid: 5001628; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [20/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001629; sid: 5001629; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [30/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 30, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001630; sid: 5001630; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [40/5]"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; after: track by_src, count 40, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001631; sid: 5001631; rev:3;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [50/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001632; sid: 5001632; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure - Brute force [100/5]"; content: "authentication failure"; flowbits: set,brute_force,86400; classtype: unsuccessful-user;program: sshd; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001633; sid: 5001633; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure"; content: "authentication failure"; classtype: unsuccessful-user;program: sshd; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001524; sid: 5001524; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root - Brute force [5/5]"; content: "Authentication failure for root"; flowbits: set,brute_force,86400; classtype: unsuccessful-admin;program: sshd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5000017; sid: 5000017; rev:9;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication failure for root"; content: "Authentication failure for root"; flowbits: set,brute_force,86400; classtype: unsuccessful-admin;program: sshd; normalize: openssh; reference: url,wiki.quadrantsec.com/bin/view/Main/5001525; sid: 5001525; rev:5;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Possible break-in attempt"; content: "POSSIBLE BREAK-IN ATTEMPT"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000018; sid: 5000018; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Not executable shell - login attempt"; content: "is not executable"; classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000020; sid: 5000020; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Message send write error"; content: "ssh_msg_send";classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000021; sid:5000021; rev:2;) # General "illegal user" alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [Brute Force] [10/5]"; pcre: "/invalid user|illegal user/i"; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 86400; classtype: attempted-user; program: sshd; parse_src_ip: 1; after: track by_src, count 10, seconds 300; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000022; sid: 5000022; rev:13;) # Champ Clark (Quadrant Information Security) - Jan 27th 2010 - Out of band challenge - for more info see: http://sourceforge.net/projects/pamobc/ alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Out-of-Band challenge failure"; content: "Failed auth"; content: "out-of-band challenge"; content: "pam_obc"; classtype: unsuccessful-user;program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000023; sid: 5000023; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Bad protocol version - possible attack"; content: "Bad protocol version identification"; parse_src_ip: 1; classtype: non-standard-protocol; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000068; sid: 5000068; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT ( msg: "[OPENSSH] Timeout while logging in"; content:"Timeout before authentication" ;classtype: unsuccessful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000069; sid: 5000069; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] No identification string - possible scan"; content:"Did not receive identification string"; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: network-scan; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000070; sid: 5000070; rev:5;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] OpenSSH challenge-response exploit"; content: "buffer_get_string: bad string"; classtype: exploit-attempt; program: sshd; parse_src_ip: 1; fwsam: src, 1 week; reference: url,wiki.quadrantsec.com/bin/view/Main/5000071; sid: 5000071; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] Message without user-IP and context"; content: "Could not get shadow information for NOUSER"; classtype: misc-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000072; sid: 5000072; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Corrupted traffic"; content: "Corrupted check bytes on"; classtype: network-event; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000073; sid: 5000073; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] CRC32 compensation attack"; content: "crc32 compensation attack"; nocase; classtype: shellcode-detect; program: sshd; fwsam: src, 1 week; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000074; reference: url, http://www.securityfocus.com/bid/2347/info/; sid: 5000074; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] configuration error [moduli]"; content: "Bad prime description in line"; classtype: program-error; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000076; sid: 5000076; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Attempt to login using a denied user"; content: "not allowed because"; classtype: unsuccessful-user; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000077; sid:5000077; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[OPENSSH] User logged into a disabled account"; pcre: "/accepted|authenticated/i"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; parse_src_ip: 1; parse_port; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000411; program: sshd; sid: 5000411; rev:4;) # Failed password for root from 10.10.0.1 port 17298 ssh2 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password - Brute force [10/1]"; content: "Failed password"; program: sshd; normalize: openssh; flowbits: set, brute_force,86400; classtype: unsuccessful-user; sid: 5001646; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001646; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[OPENSSH] Failed password"; content: "Failed password"; program: sshd; normalize: openssh; classtype: unsuccessful-user; sid: 5001647; reference: url,wiki.quadrantsec.com/bin/view/Main/5001647; rev:3;) # AIX 5 has a tendency to log ssh connections via program: syslog :( # syslog ssh: failed login attempt for UNKNOWN_USER from 10.1.1.4 drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] SYSLOG Authentication failure - Brute force [5/5]"; content: "ssh|3a| failed login attempt"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001954; program: syslog; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; sid: 5001954; rev:8;) # Added by Robert Nunley - 02/20/2014 (rnunley@quadrantsec.com) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[OPENSSH] Fail2Ban SSH Suspicious Activity"; content: "Fail2Ban"; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001974; parse_src_ip: 1; sid: 5001974; rev:1;) rules/ipop3d.rules0000664000175000017500000000412612612177151013434 0ustar champchamp# Sagan ipop3d.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[IPOP3D] Excessive login failures"; content:"Login excessive login failures"; classtype: misc-attack; program: ipop3d; threshold:type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000032; sid: 5000032; rev:3;) rules/citrix-geoip.rules0000664000175000017500000000612612612177151014643 0ustar champchamp# Sagan citrix-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from outside home country (Champ Clark / 04/01/2015) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] Login from outside HOME_COUNTRY"; content: "SSLVPN LOGIN"; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002260; sid:5002260; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] AAA LOGIN_FAILED from outside HOME_COUNTRY"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002280; sid:5002280; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-GEOIP] SSLVPN HTTPREQUEST from outside HOME_COUNTRY"; content: "SSLVPN HTTPREQUEST"; classtype: successful-user; parse_src_ip: 1; normalize: citrix; country_code: track by_src, isnot $HOME_COUNTRY; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002284; sid:5002284; rev:2;) rules/juniper-aetas.rules0000664000175000017500000000471612612177151015012 0ustar champchamp# Sagan juniper-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-AETAS] VPN Login at suspicious time"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002047; sid:5002047; rev: 2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-AETAS] VPN Logout at suspicious time"; program: Juniper; content: "Logout from"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002048; sid:5002048; rev: 2;) rules/roundcube.rules0000664000175000017500000000443712612177151014231 0ustar champchamp# Sagan roundcube.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication failed"; content: "failed"; content: "LOGIN"; classtype: unsuccessful-user; program: roundcube; reference: url,wiki.quadrantsec.com/bin/view/Main/5000277; sid: 5000277; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROUNDCUBE] - Authentication success"; content: "Successful login"; classtype: successful-user; program: roundcube; reference: url,wiki.quadrantsec.com/bin/view/Main/5000278; sid: 5000278; rev:1;) rules/tripwire.rules0000664000175000017500000000406112612177151014101 0ustar champchamp# Sagan tripwire.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[TRIPWIRE] Integrity Check failed"; content: "Integrity Check failed"; content: "File could not"; classtype: system-event; program: tripwire; reference: url,wiki.quadrantsec.com/bin/view/Main/5000129; sid: 5000129; rev:1;) rules/citrix-correlated.rules0000664000175000017500000000612512612177151015663 0ustar champchamp# Sagan citrix-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login/login attempt after recon/honeypot (Champ Clark / 09/18/2015) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] Login after suspicious activity"; content: "SSLVPN LOGIN"; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002357; sid:5002357; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] AAA LOGIN_FAILED after suspicious activity"; content: "AAA LOGIN_FAILED"; classtype: correlated-attack; parse_src_ip: 1; normalize: citrix; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002358; sid:5002358; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-CORRELATED] SSLVPN HTTPREQUEST after suspicious activity"; content: "SSLVPN HTTPREQUEST"; classtype: correlated-attack; parse_src_ip: 1; normalize: citrix; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002359; sid:5002359; rev:3;) rules/juniper-geoip.rules0000664000175000017500000000473212612177151015016 0ustar champchamp# Sagan juniper-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-GEOIP] VPN Login from outside HOME_COUNTRY"; program: Juniper; pcre: "/Authentication successful|Login succeeded/i"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002028; sid:5002028; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[JUNIPER-GEOIP] VPN Logout from outside HOME_COUNTRY"; program: Juniper; content: "Logout from"; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002029; sid:5002029; rev: 1;) rules/syslog.rules0000664000175000017500000003155312612177151013562 0ustar champchamp# Sagan syslog.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Rules outside the scope of application specific rules. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Redirect from"; classtype: bad-unknown; program: Redirect;facility: kern;reference: url,wiki.quadrantsec.com/bin/view/Main/5000056; sid: 5000056; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel TCP/IP redirect attempt"; content: "Advised path"; classtype: bad-unknown; program: Advised; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000057; sid: 5000057; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] init respawning to fast"; content: "respawning too fast"; classtype: program-error; program: init; threshold: type limit, track by_src, count 5, seconds 60; reference: url,wiki.quadrantsec.com/bin/view/Main/5000058; sid: 5000058; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Martian source packet"; content: "martian source"; parse_src_ip: 2; parse_dst_ip: 1; classtype: bad-unknown; program: martian; facility: kern; reference: url,wiki.quadrantsec.com/bin/view/Main/5000059; sid: 5000059; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Possible unknown problem on a system"; pcre: "/core_dump|core dump| fatal |segmentation fault| corrupt /i"; threshold: type limit, track by_src, count 5, seconds 300; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000114; sid: 5000114; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] /etc/securetty missing, root access unrestricted"; content: "couldn't open /etc/securetty"; nocase; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000115; sid: 5000115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of disk space"; pcre: "/file system full|No space left on device/i"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000116; sid:5000116; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount NFS share"; content: "mount failure"; classtype: program-error; program: nfs; reference: url,wiki.quadrantsec.com/bin/view/Main/5000117; sid: 5000117; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Unable to mount the NFS directory"; content: "refused mount request from"; classtype: program-error; program: rpc.mountd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000118; sid: 5000118; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [25/1]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|authentication failures|access denied|access not allowed|failed to authenticate/i"; parse_src_ip: 1; parse_port; parse_proto; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5000119; sid: 5000119; rev:11;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [10 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001621; sid: 5001621; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [20 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 20, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001622; sid: 5001622; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [50 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 50, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001623; sid: 5001623; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure - Brute force [100 attempts in 5 minutes]"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; parse_src_ip: 1; classtype: unsuccessful-user; after: track by_src, count 100, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001624; sid: 5001624; rev:2;) # # Catch all for all Authentication failures. # #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Authentication failure"; pcre: "/failed to authorize|wrong password given|repeated login failures|authentication failed|more authentication failures/i"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001528; sid: 5001528; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Illegal root login"; pcre: "/ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED/"; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000120; sid: 5000120; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Connection blocked by TCP Wrappers"; pcre: "/refused connect from|libwrap refused connection|connection from \S+ denied/i"; parse_src_ip: 1; classtype: tcp-connection; reference: url,wiki.quadrantsec.com/bin/view/Main/5000121; sid: 5000121; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Physical root login"; content: "ROOT LOGIN on"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000122; sid: 5000122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Oversized packet - ping of death?"; content: "Oversized packet received from"; classtype: attempted-dos; reference: url,wiki.quadrantsec.com/bin/view/Main/5000123; sid: 5000123; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Interface entered promiscuous mode"; pcre: "/Promiscuous mode enabled|device \S+ entered promiscuous mode/i"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000124; sid: 5000124; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] System out of memory!"; content: "out of memory"; nocase; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000125; sid: 5000125; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Kernel log daemon terminating"; content: "kernel log daemon terminating"; nocase; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000126; sid: 5000126; facility: kern; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is up"; content: "ADSL line is up"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000127; sid: 5000127; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] ADSL line is down"; content: "ADSL line is down"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000128; sid: 5000128; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New group added to the system"; content: "new group"; nocase; program: useradd|adduser; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000130; sid: 5000130; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] New user added to the system"; pcre: "/new user|new account added/i"; program: useradd|adduser; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000131; sid: 5000131; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] User or group was deleted from the system"; pcre: "/delete user|account deleted|remove group/i"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000376; sid: 5000376; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Information for a user was changed"; content: "changed user"; nocase; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000377; sid: 5000377; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] automount - Couldn't stat filesystem"; program: automount; content: "could not stat fs of"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000395; sid: 5000395; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Nagios npre - Host not allowed"; program: npre; content: "is not allowed to talk to us"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000410; sid: 5000410; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng I/O error"; program: syslog-ng; content: "I/O error occurred while writing"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001011; sid: 5001011; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] syslog-ng suspend write"; program: syslog-ng; content: "Suspending write operation"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001012; sid: 5001012; rev:1;) # Linux system "password changed" rules. Created by Brian Echeverry (becheverry@quadrantsec.com) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] password changed for user"; content: "passwd"; content: "changed"; classtype: successful-user; program: passwd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001704; sid:5001704; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] password changed for user root"; content: "passwd"; content: "changed"; content: "root"; classtype: successful-admin; program: passwd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001705; sid:5001705; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] Redhat Linux not updating"; content: "your system is up-to-date"; classtype: program-error; program: rhsmd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001961; sid:5001961; rev:1;) # Added by Robert Nunley 02/20/2014 (rnunley@quadantsec.com) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYSLOG] SCSI task abort"; content: "scsi"; content: "task abort"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001972; program: kernel; sid: 5001972; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SYSLOG] Remounting filesystem read-only"; content: "Remounting filesystem read-only"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001973; program: kernel; sid: 5001973; rev:1;) rules/proftpd.rules0000664000175000017500000001646312612177151013723 0ustar champchamp# Sagan proftpd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Session opened"; content: "FTP session opened"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000078; sid: 5000078; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Session closed"; content: "FTP session closed"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000079; sid: 5000079; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5]"; content: "no such user"; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000080; sid: 5000080; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5]"; pcre: "/Incorrect password|Login failed/i"; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000081; sid: 5000081; rev:6;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Authentication success"; content: "Login successful"; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000082; sid: 5000082; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Connection refused by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000083; sid: 5000083; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Small PassivePorts range in config file"; content: "unable to find open port in PassivePorts range"; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000084; sid: 5000084; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Attempt to bypass firewall - cannot keep state of FTP traffic"; content: "Refused PORT"; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000085; sid: 5000085; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Maximum login attempts reached [DoS?]"; content: "Maximum login attempts"; classtype: successful-dos; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000086; sid: 5000086; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Host name or host address mismatch"; pcre: "/name mismatch|address mismatch/i"; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000087; sid: 5000087; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Reverse lookup failure"; content: "can't verify hostname"; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000088; sid: 5000088; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Remote host connected to FTP server"; content: "connect from"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000089; sid: 5000089; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Remote host disconnected due to inactivity"; content: "FTP no transfer timeout, disconnected"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000090; sid: 5000090; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Remote host disconnected due to login time out" ;content: "FTP login timed out"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000091; sid: 5000091; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Remote host disconnected due to time out" ;content: "FTP session idle timeout"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000374; sid: 5000374; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Data transfer stall timeout" ;content: "Data transfer stall timeout"; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000092; sid: 5000092; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] terminated [crash]" ; content: "ProFTPD terminating"; content: "signal 11"; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000093; sid: 5000093; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD] Unable to bind to address" ; content: "listen"; content: "failed in"; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000094; sid:5000094; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[PROFTPD] User logged into an disabled account"; content: "Login successful"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000413; program: sshd; sid: 5000413; rev:2;) rules/gen-msg.map0000664000175000017500000000036212612177151013214 0ustar champchamp# GENERATORS -> msg map # Format: generatorid || alertid || MSG 1 || 1 || Sagan general alert 100 || 100 || sagan_track_clients: No log activity from remote agent in timeout period! 100 || 101 || sagan_track_clients: Log activity resumed. rules/fatpipe-correlated.rules0000664000175000017500000000520712612177151016011 0ustar champchamp# Sagan fatpipe-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-CORRELATED] Login Success after suspicious activity"; content: "Login|3a| Success"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002369; sid:5002369; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE-CORRELATED] Login Success - ADMINISTRATOR - after suspicious activity"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002370; sid:5002370; rev:3;) rules/knockd.rules0000664000175000017500000000437212612177151013512 0ustar champchamp# Sagan knockd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Open Sesame"; content: "OPEN SESAME"; classtype: successful-user; program: knockd; parse_src_ip: 1; reference:url,wiki.quadrantsec.com/bin/view/Main/5000383; sid:5000383; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[KNOCKD] Sequence timeout"; content: "sequence timeout"; classtype: unsuccessful-user; program: knockd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000384; sid:5000384; rev:1;) rules/.last_used_sid0000664000175000017500000000001012612177151013771 0ustar champchamp5002579 rules/windows-correlated.rules0000664000175000017500000000513112612177151016047 0ustar champchamp# Sagan windows-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] Successful RDP login from known brute force"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; content:!"Source Network Address|3a| 0.0.0.0"; program: Security*; flowbits:isset,by_src,brute_force; parse_src_ip: 1; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002336; sid:5002336; rev:5;) # Add by Champ Clark 09/18/2015 # RDP after recon/honeypot alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-CORRELATED] RDP login after suspicious traffic"; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; program: Security*; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002356; sid:5002356; rev:1;) rules/sendmail.rules0000664000175000017500000001713112612177151014032 0ustar champchamp# Sagan sendmail.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] VRFY or EXPN root attempt"; content: " root"; nocase; pcre: "/vrfy|expn/i"; classtype: attempted-recon; flowbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000034; fwsam: src, 1 day; parse_src_ip: 1; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000034; rev:7;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] EXPN command - rejected"; content:"expn "; nocase; content:"[rejected]"; classtype: attempted-recon; flowbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000035; parse_src_ip: 1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000035; rev:7;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] VRFY command - rejected"; content:"vrfy "; nocase; content:"[rejected]"; classtype: attempted-recon; flowbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000036; parse_src_ip: 1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000036; rev:7;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] EXPN command - [not rejected]"; content:"expn "; content:!"rejected"; nocase; fwsam: src, 1 day; classtype: attempted-recon; flowbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000035; parse_src_ip: 1; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000223; rev:8;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] VRFY command - [not rejected]"; content:"vrfy "; content:!"rejected"; nocase; classtype: attempted-recon; flowbits: set, recon, 86400; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000036; parse_src_ip:1; fwsam: src, 1 day; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; sid: 5000224; rev:8;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Relaying denied"; pcre: "/Relaying denied|reject=550 5.7.1/"; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000037; sid: 5000037; rev:8;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Relaying denied [reject=550 5.7.1]"; content: "reject=550 5.7.1"; classtype: suspicious-traffic;program: sm-mta|sendmail; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000144; sid: 5000144; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Domain of sender does not resolve"; content:"reject=451 4.1.8"; classtype: suspicious-traffic; program: sm-mta|sendmail; normalize: smtp; reference: url,wiki.quadrantsec.com/bin/view/Main/5000136; sid: 5000136; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Rejected by access list"; pcre: "/reject=550 5.0.0|reject=553 5.3.0/"; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000137; sid: 5000137; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SENDMAIL] Sender address does not have domain"; content:"reject=553 5.5.4 "; classtype: suspicious-traffic; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000138; sid: 5000138; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Rejecting due to pre-greet"; content: "rejecting commands from"; classtype: spam; program: sm-mta|sendmail; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000139; sid: 5000139; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Save mail panic"; content: "savemail panic"; classtype: program-error; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000140; sid: 5000140; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Sendmail Spamassassin X-Spam-Score"; content: "X-Spam-Score"; classtype: spam; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000141; sid: 5000141; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Possible SMTP RCPT flood, throttling"; content: "Possible SMTP RCPT flood, throttling"; classtype: spam; program: sm-mta|sendmail; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000142; sid: 5000142; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[SENDMAIL] Username with pipe symbol"; content: "|7c|"; content: "to=<"; classtype: exploit-attempt; program: sm-mta|sendmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000357; sid: 5000357; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg: "[SENDMAIL] SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; parse_src_ip: 1; program: sm-mta|sendmail; content: "/bin/"; content: "sh "; content: "|7c|"; content: "+"; classtype: system-event; reference: url, wiki.quadrantsec.com/bin/view/Main/5000881; reference: url,http://www.securityfocus.com/bid/38578; sid: 5000881; rev: 6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg: "[SENDMAIL] Possible open proxy"; program: sm-mta|sendmail; content: "probable open proxy:"; parse_src_ip: 1; classtype: suspicious-traffic; flowbits: set, recon, 86400; reference: url, wiki.quadrantsec.com/bin/view/Main/5001013; sid: 5001013; rev: 6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg: "[SENDMAIL] Insufficient system resources [Remote] [0/5]"; program: sm-mta|sendmail; content: "Insufficient system resources"; classtype: program-error; threshold: type limit, track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001094; sid: 5001094; rev: 4;) rules/bind.rules0000664000175000017500000001316312612177151013153 0ustar champchamp# Sagan bind.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Invalid DNS packet. Possible attack" ; content: "dropping source port zero packet from"; classtype: exploit-attempt; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000101; sid:5000101; rev:4;) drop udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Denied zone transfer attempt"; content: "denied AXFR from"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000102; sid:5000102; rev:6;) drop udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] DNS update denied"; pcre: "/denied update from|unapproved update from/"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000103; sid:5000103; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Log permission misconfiguration"; content: "unable to rename log file"; classtype: program-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000104; sid:5000104; rev:5;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Unexpected error [RCODE] while resolving domain"; content: "unexpected RCODE"; classtype: suspicious-traffic; program: named; normalize: dns; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000164; sid:5000164; rev:5;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Refused notify from non-master"; content: "refused notify from non-master"; parse_port; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000105; sid:5000105; rev:6;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] DNS update using RFC2136 Dynamic protocol denied"; pcre: "/update \S+ denied/"; classtype: suspicious-traffic; program: named; normalize: dns; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000106; sid:5000106; rev:5;) #alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Query cache denied"; content: "query"; content: "cache"; content: "denied"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; threshold: type limit, track by_src, count 1, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5000107; sid:5000107; rev:7;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Named fatal error. DNS service is going down"; content: "exiting"; content: "due to fatal error"; classtype: program-error; program: named; reference: url,wiki.quadrantsec.com/bin/view/Main/5000108; sid:5000108; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Serial number from master is lower than stored"; pcre: "/^zone \S+ serial number \S+ received from master \S+ \S ours/"; classtype: configuration-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000109; sid:5000109; rev: 5;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Zone transfer error"; pcre: "/^zone \S+: expired/"; classtype: configuration-error; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000110; sid:5000110; rev: 5;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[BIND] Version attempt"; content: "version.bind CH TXT"; classtype: attempted-recon; flowbits: set, recon, 86400; program: named; parse_port; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001706; sid:5001706; rev: 2;) rules/rsync.rules0000664000175000017500000000655212612177151013401 0ustar champchamp# Sagan rsync.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $RSYNC_PORT (msg: "[RSYNC] mkdir failure. Permission denied"; program: rsync; content: "mkdir"; content: "Permission denied"; classtype: program-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5001050; sid: 5001050; rev: 2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $RSYNC_PORT (msg: "[RSYNC] stat failure. Permission denied"; program: rsync; content: "stat"; content: "Permission denied"; classtype: program-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5001051; sid: 5001051; rev: 2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $RSYNC_PORT (msg: "[RSYNC] Inbound rsync connection"; program: rsync; content: "rsync to"; content: "from"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001052; sid: 5001052; rev: 2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $RSYNC_PORT (msg: "[RSYNC] Connection closed stats"; program: rsync; content: "sent"; content: "received"; content: "total size"; classtype: not-suspicious; reference: url, wiki.quadrantsec.com/bin/view/Main/5001053; sid: 5001053; rev: 2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $RSYNC_PORT (msg: "[RSYNC] Authentication failure"; program: rsync; content: "auth failed on module"; classtype: attempted-user; reference: url, wiki.quadrantsec.com/bin/view/Main/5001054; sid: 5001054; rev: 2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $RSYNC_PORT (msg: "[RSYNC] Some files could not be transferred"; program: rsync; content: "rsync error"; content: "code 23"; classtype: program-error; reference: url, wiki.quadrantsec.com/bin/view/Main/5001055; sid: 5001055; rev: 2;) rules/linux-kernel.rules0000664000175000017500000001056312612177151014655 0ustar champchamp# linux-kernel.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These detect "generic" netfilter/iptables messages. Normalization will _not_ work if your using a user-defined iptables LOG "prefix" options! alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=TCP"; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001104; normalize: linux-kernel; program: kernel; sid: 5001104; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] IPTABLES TCP"; content: "IN="; content: "OUT="; content: "PROTO=UDP"; classtype: bad-unknown; reference: url,wiki.quadrantsec.com/bin/view/Main/5001105; normalize: linux-kernel; program: kernel; sid: 5001105; rev:1;) # General file system errors (Champ Clark - 01/09/2014) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] ReiserFS error"; content: "REISERFS error"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001943; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001943; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Unhandled error code"; content: "Unhandled error code"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001944; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001944; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] I/O error"; content: "I/O error, dev"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001945; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001945; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] hostbyte=DID_ERROR"; content: "hostbyte=DID_ERROR"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001946; program: kernel; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001946; rev:1;) # HPSA (HP Raid controllers) - (Champ Clark - 05/07/2015) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Hard drive/RAID - FAILED abort on device"; content: "hpsa "; content: "FAILED abort on device"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002278; program: kernel; sid:5002278; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[LINUX-KERNEL] Hard drive/RAID - probably means device no longer present"; content: "hpsa "; content: "probably means device no longer present"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002279; program: kernel; sid:5002279; rev:1;) rules/ntp.rules0000664000175000017500000000402112612177151013031 0ustar champchamp# Sagan ntp.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $EXTERNAL_NET any -> $HOME_NET $NTP_PORT (msg: "[NTP] Permission denied error"; content:"permission denied"; program: ntpd_initres; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000041; sid: 5000041; rev:2;) rules/solaris.rules0000664000175000017500000000446012612177151013713 0ustar champchamp# Sagan solaris.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] kcfd - Unable to open certificate file"; program: kcfd; content: "unable to open certificate file"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5000393; sid: 5000393; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[SYSLOG] rmclomv - Power Supply FAULT!"; program: rmclomv; content: "PSU"; content: "has FAULTED"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000405; sid: 5000405; rev:1;) rules/kismet.rules0000664000175000017500000002305212612177151013531 0ustar champchamp# Sagan kismet.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # This rule set requires a modified version of Kismet. To get the patch # to modify Kismet for syslog output, please see: # # http://sagan.quadrantsec.com/patches # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new managed network"; program: kismet_server; content: "Detected new managed"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001014; sid: 5001014; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new ad-hoc network"; program: kismet_server; content: "Detected new ad-hoc"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001015; sid: 5001015; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new probe network"; program: kismet_server; content: "Detected new probe"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001016; sid: 5001016; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new turbocell network"; program: kismet_server; content: "Detected new turbocell"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001017; sid: 5001017; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Detected new data network"; program: kismet_server; content: "Detected new data"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001018; sid: 5001018; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Found IP address range"; program: kismet_server; content: "Found IP range"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001019; sid: 5001019; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Kismet starting to gather packets [Startup]"; program: kismet_server; content: "Found IP range"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001020; sid: 5001020; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Kismet shutting down"; program: kismet_server; content: "Stopped source"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001040; sid: 5001040; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older AirJack tool in use"; program: kismet_server; content: "AIRJACKSSID"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001021; sid: 5001021; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Possible spoof/broken AP"; program: kismet_server; content: "APSPOOF"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001022; sid: 5001022; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Out-of-sequence BSS timestamp. Possible AP spoof"; program: kismet_server; content: "BSSTIMESTAMP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001023; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001023; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] AP change channels. Possibel AP spoof"; program: kismet_server; content: "CHANCHANGE"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001024; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001024; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] AP spoof with less-secure encryption"; program: kismet_server; content: "CRYPTODROP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001025; sid: 5001025; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed disassociated/deauthenitcate packets"; program: kismet_server; pcre: "/DEAUTHFLOOD|BCASTDISCON/"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001026; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; reference: url, http://www.wve.org/entries/show/WVE-2005-0045; reference: url, http://www.wve.org/entries/show/WVE-2005-046; reference: url, http://www.wve.org/entries/show/WVE-2005-0061; sid: 5001026; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] DHCP DISCOVER send with Client-ID not matching MAC"; program: kismet_server; content: "DHCPCLIENTID"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001027; sid: 5001027; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Misconfigured or spoofed client [ignoring DHCP]"; program: kismet_server; content: "DHCPCONFLICT"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001028; sid: 5001028; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Spoofed client [incorrectly] injecting data"; program: kismet_server; content: "DISASSOCTRAFFIC"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001029; sid: 5001029; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Invalid disconnect/deauthenticate"; program: kismet_server; pcre: "/DISCONCODEINVALID|DEAUTHCODEINVALID/"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001030; sid: 5001030; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Possible client spoof/MAC cloning attack"; program: kismet_server; pcre: "/DHCPNAMECHANGE|DHCPOSCHANGE/"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001031; sid: 5001031; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Over-size SSID. Possible exploit attempt"; program: kismet_server; content: "LONGSSID"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001032; sid: 5001032; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older Lucent/Orinico card scanning the network"; program: kismet_server; content: "LUCENTTEST"; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5001033; sid: 5001033; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Broadcom wireless improper SSID handling"; program: kismet_server; content: "MSFBCOMSSID"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001034; reference: url, http://www.wve.org/entries/show/WVE-2006-0071; sid: 5001034; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Windows D-Link improper SSID handling "; program: kismet_server; content: "MSFDLINKRATE"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001035; reference: url, http://www.wve.org/entries/show/WVE-2006-0072; sid: 5001035; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Windows Netgear over-size beacon frame"; program: kismet_server; content: "MSFNETGEARBEACON"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001036; sid: 5001036; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Older version of Netsumbler detected"; program: kismet_server; content: "NETSTUMBLER"; classtype: exploit-attempt; reference: url, wiki.quadrantsec.com/bin/view/Main/5001037; sid: 5001037; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Zero length probe/response packet"; program: kismet_server; content: "NULLPROBERESP"; classtype: attempted-dos; reference: url, wiki.quadrantsec.com/bin/view/Main/5001038; reference: url, http://www.wve.org/entries/show/WVE-2005-0019; sid: 5001038; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[KISMET] Active scanning tool deteceted [probe]"; program: kismet_server; content: "PROBENOJOIN"; classtype: network-scan; reference: url, wiki.quadrantsec.com/bin/view/Main/5001039; sid: 5001039; rev: 2;) rules/mysql.rules0000664000175000017500000000660012612177151013402 0ustar champchamp# Sagan mysql.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # see: http://dev.mysql.com/doc/refman/5.1/en/error-log.html # # program: mysqld|MySQL handles *nix and Windows MySQL systems alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORT (msg:"[MYSQL] Access denied for user"; content: "Access denied for user"; classtype: unsuccessful-user; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000149; sid: 5000149; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORT (msg:"[MYSQL] Access denied for user"; pcre: "/\d+ \S+ \d+ Connect/i"; classtype: unsuccessful-user; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000150; sid: 5000150; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORT (msg:"[MYSQL] User disconnected from database"; pcre: "/\d+ \S+ \d+ Quit/i"; classtype: not-suspicious; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000151; sid: 5000151; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORT (msg:"[MYSQL] Database startup or restart"; pcre: "/mysqld started|mysqld restarted/i"; classtype: system-event; program: mysqld|MySQL; reference:quadrantsec,5000152; sid:5000152; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORT (msg:"[MYSQL] Database error"; pcre: "/\d+ \S+ \d+ [ERROR]/"; classtype: program-error; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000153; sid: 5000153; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MYSQL_PORT (msg:"[MYSQL] Database fatal error"; content: "Fatal error"; classtype: program-error; program: mysqld|MySQL; reference: url,wiki.quadrantsec.com/bin/view/Main/5000154; sid: 5000154; rev:3;) rules/bro-ids.rules0000664000175000017500000002240412612177151013574 0ustar champchamp# Sagan bro-ids.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #***************************************************************************** # # Note: Your syslog daemon will need to forward Bro logs to your Sagan server. With syslog-ng, you would do # something like this: # # destination sagan_box { udp("10.10.10.10" port(514)); } ; # source s_bro_notice { file("/var/log/bro/log/current/notice.log" flags(no-parse) program_override("bro")); }; # log { source(s_bro_notice); destination(sagan_box); }; # # For rsyslog, see: http://www.rsyslog.com/doc/imfile.html # # The syslog "program" field will _need_ to be "bro"! # #***************************************************************************** # # Submitted by Brad Doctor (July 2nd, 2010). For more information see # http://www.bro-ids.org/ # # (Legacy Bro rules) - Now disbaled by default #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Successful Password Guessing [0/5]"; content: "SuccessfulPasswordGuessing"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000883; sid: 5000883; threshold: type limit, track by_src, count 5, seconds 120; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Protocol Violation [0/5]"; content: "ProtocolViolation"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: policy-violation; reference: url,wiki.quadrantsec.com/bin/view/Main/5000884; sid: 5000884; threshold: type limit, track by_src, count 5, seconds 120; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Login [0/5]"; content: "SensitiveLogin"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-login; reference: url,wiki.quadrantsec.com/bin/view/Main/5000885; sid: 5000885; threshold: type limit, track by_src, count 5, seconds 120; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Connection [0/5]"; content: "SensitiveConnection"; program: parse_src_ip: 1; parse_dst_ip: 2; bro; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000886; sid: 5000886; threshold: type limit, track by_src, count 5, seconds 120; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] Sensitive Username in password [0/5]"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; content: "SensitiveUsernameInPassword"; classtype: successful-admin; url,wiki.quadrantsec.com/bin/view/Main/5000887; sid: 5000887; threshold: type limit, track by_src, count 5, seconds 120; rev:3;) # Robert Nunley & Champ Clark - 06/10/2014 alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[BRO] SSH Password_Guessing [0/5]"; content: "SSH|3a 3a|Password_Guessing"; program: bro; classtype: misc-attack; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 5, seconds 120; reference: url,wiki.quadrantsec.com/bin/view/Main/5002063; sid: 5002063; rev:2;) # Note: You will need licensing to use the Team Cymru Malware Hash Registry for corporate use. See http://www.team-cymru.org/Services/MHR/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO] TeamCymruMalwareHashRegistry Match"; content: "TeamCymruMalwareHashRegistry|3a 3a|Match"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,www.team-cymru.org/Services/MHR/; classtype: trojan-activity; sid: 5002064; rev:2;) # Triggers many F/P #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[BRO] HTTP SQL_Injection_Attacker"; content: "HTTP|3a 3a|SQL_Injection_Attacker"; parse_src_ip: 1; parse_dst_ip: 2; program: bro; reference: url,wiki.quadrantsec.com/bin/view/Main/5002065; classtype: web-application-attack; sid: 5002065; rev:2;) #alert tcp $EXTERNAL_NET any -> $HTTP_PORT any (msg: "[BRO] HTTP SQL_Injection_Victim"; content: "HTTP|3a 3a|SQL_Injection_Victim"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002066; classtype: web-application-attack; sid: 5002066; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Login_By_Password_Guesser"; content: "SSH|3a 3a|Login_By_Password_Guesser"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002067; classtype: successful-user; sid: 5002067; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[BRO] SSH Watched_Country_Login"; content: "SSH|3a 3a|Watched_Country_Login"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002068; classtype: successful-user; sid: 5002068; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] 10+ SSL Invalid_Server_Cert in 30 seconds [10/5]"; content: "SSL|3a 3a|Invalid_Server_Cert"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002069; classtype: suspicious-traffic; sid: 5002069; rev:4;) # Robert Nunley & Champ Clark - 06/11/2014 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] 10+ unable to get local issuer certificate in 30 seconds [10/5]"; content: "unable to get local issuer certificate"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; after: track by_src, count 10, seconds 30; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; classtype: suspicious-traffic; sid: 5002070; rev:3;) # These rules are based on Bro scripts from Liam Randall. They are located at: https://github.com/LiamRandall/BroMalware-Exercise. These will need to be loaded into Bro to trigger! # https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] ZeroAccess ZeroAccess_Client [0/5]"; content: "ZeroAccess|3a 3a|ZeroAccess_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 5, seconds 300; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002070; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/zeroaccess; sid: 5002071; rev:3;) # https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0 # Bitcoin mining detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Bitcoin Miner [0/10]"; content: "Bitcoin|3a 3a|Miner"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; threshold: type limit, track by_src, count 10, seconds 300; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002074; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002074; rev:3;) # https://github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0 # Lurk0 RAT ::Lurk0_Client alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Probable LURK0 RAT C&C Access"; content: "Lurk0|3a 3a|Lurk0_Client"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002072; url,github.com/LiamRandall/BroMalware-Exercise/tree/master/solutions/lurk0; sid: 5002072; rev:2;) # Sidejacking # Added in the main Bro repo. See http://matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro/ for more details. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[BRO] Sidejacking attach detected"; content: "Sidejacking"; program: bro; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002073; reference: url,matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro; sid: 5002073; rev:2;) rules/fatpipe.rules0000664000175000017500000000641112612177151013665 0ustar champchamp# Sagan fatpipe.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # 10.10.10.5|authpriv|info|info|56|2014-02-12|18:53:52|xtremed| UI Login: Success, User Name: bob, Remote IP: 10.10.10.1, Privilege: ADMINISTRATOR alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Success"; content: "Login|3a| Success"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001955; sid: 5001955; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Success - ADMINISTRATOR"; content: "Login|3a| Success"; content: "ADMINISTRATOR"; classtype: successful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001956; sid: 5001956; rev:1;) # 10.10.10.5|authpriv|info|info|56|2014-02-12|19:01:06|xtremed| UI Login: Attempt Failed, User Name: bob, Remote IP: 10.10.0.1 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Failed"; content: "Login|3a| Attempt Failed"; classtype: unsuccessful-admin; program: xtremed; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001957; sid: 5001957; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[FATPIPE] Login Failed - Brute Force [5/5]"; content: "Login|3a| Attempt Failed"; classtype: unsuccessful-admin; program: xtremed; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001958; sid: 5001958; rev:2;) rules/reference.config0000664000175000017500000000453312612177151014311 0ustar champchamp# Sagan reference.config # Copyright (c) 2009-2014, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The following defines URLs for the references found in the rules # config reference: system URL. Most of these are from Sourcefire's # 'Snort'. config reference: bugtraq,http://www.securityfocus.com/bid/ config reference: cve,http://cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachNIDS,http://www.whitehats.com/info/IDS config reference: McAfee,http://vil.nai.com/vil/content/v_ config reference: nessus,http://cgi.nessus.org/plugins/dump.php3?id= config reference: url,http:// #config reference: quadrantsec,https://wiki.quadrantsec.com/bin/view/Main/ rules/cisco-blacklist.rules0000664000175000017500000001116212612177151015302 0ustar champchamp# Sagan cisco-blacklist.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # For log examples, see cisco-geoip.rules. This is just rules: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN Login from blacklisted IP"; program: %ASA-6-716038; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002240; sid: 5002240; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Console login from blacklisted IP"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002241; sid: 5002241; rev: 2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] Login permitted from blacklisted IP"; program: %ASA-6-605005; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002242; sid: 5002242; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] WebVPN login from blacklisted IP"; program: %ASA-6-716001; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002243; sid: 5002243; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN disconnect from blacklisted IP"; program: %ASA-4-113019; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002244; sid: 5002244; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP"; program: %ASA-6-734001; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002245; sid: 5002245; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] ACS Login success from blacklisted IP"; program: CisACS_01_PassedAuth; blacklist: by_src; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002246; sid: 5002246; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] VPN login from blacklisted IP [2]"; program: %ASA-6-722022|%ASA-6-722023; blacklist: by_src; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002247; sid: 5002247; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA-6-303002; blacklist: by_src; classtype: successful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002248; sid: 5002248; rev: 1;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-BLACKLIST] FTP file transfer from blacklisted IP"; program: %ASA-6-303002; blacklist: by_dst; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002249; sid: 5002249; rev: 1;) rules/bro-normalize.rulebase0000664000175000017500000000430612612177151015466 0ustar champchamp# Sagan bro-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # This is a "custom" bro output Sagan uses for file hashes from Bro. rule=: files: %-:word% %-:word% %src-ip:ipv4% %dst-ip:ipv4% %-:word% %-:word% %-:number% %-:word% %mime-type:word% %-:word% %-:word% %-:word% %-:word% %-:number% %-:number% %-:number% %-:number% %-:word% %-:word% %filehash-md5:word% %filehash-sha1:word% %filehash-sha256:word% %-:rest% rules/windows-owa-correlated.rules0000664000175000017500000000413412612177151016635 0ustar champchamp# Sagan windows-owa-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-CORRELATED] Login failure after suspicious activity"; content: "/ews/exchange.asmx"; nocase; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002391; sid:5002391; rev:1;) rules/web-attack.rules0000664000175000017500000006042612612177151014265 0ustar champchamp# Sagan web-attack.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These are used to identify web attacks from Apache, IIS and other "access" logs. # Added by Robert Nunley (rnunley@quadantsec.com) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACK] Havij SQL Injection Tool Identified"; content: "0x31303235343830303536"; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001699; sid: 5001699; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] UNION ALL SELECT in URL - Possible SQL Injection"; content: "0%27%20union%20all%20select%20"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001700; sid: 5001700; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - x=x"; content: "%20and%20%27x%27%3D%27x"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001701; sid: 5001701; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Injection Using Encapsulated Data - 1=1"; content: "%20and%20%271%27%3D%271"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001702; sid: 5001702; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Injection Using Hex Encoding"; content: "concat"; content: "unhex"; nocase; classtype: web-application-attack; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001703; sid: 5001703; rev:1;) # Added by Robert Nunley (Nov272013) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Absinthe SQL Injection Tool HTTP Header Detected"; content:"User-Agent"; content: "Absinthe"; parse_src_ip: 1; parse_dst_ip: 2; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001864; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] bsqlbf Brute Force SQL Injection"; content:"User-Agent"; content: "bsqlbf"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:5001792; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Cisco Torch IOS HTTP Scan"; content:"User-Agent"; content: "Cisco-torch"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001793; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Core-Project Scanning Bot UA Detected"; content:"User-Agent"; content: "core-project/1.0"; parse_src_ip: 1; parse_dst_ip: 2; classtype:web-application-activity; sid:5001794; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] crimscanner User-Agent detected"; content:"GET"; nocase; content:"User-Agent"; content: "crimscanner"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:5001795; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] DavTest WebDav Vulnerability Scanner Default User Agent Detected"; content:"User-Agent"; content: "DAV.pm"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001796; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] DirBuster Web App Scan in Progress"; content:"User-Agent"; content: "DirBuster"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:5001797; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Possible Fast-Track Tool Spidering User-Agent Detected"; content:"User-Agent"; content: "pymills-spider"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001798; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Suspicious User-Agent - get-minimal - Possible Vuln Scan"; content:"User-Agent"; content: "get-minimal"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:5001799; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Grabber.py Web Scan Detected"; content:"User-Agent"; content: "Grabber"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001800; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected [0/5]"; content:"User-Agent"; content: "Mozilla/5.0"; content: "Grendel-Scan"; nocase; content:"http://www.grendel-scan.com"; nocase; threshold: type threshold, track by_dst, count 50, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001801; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Grendel Web Scan - Default User Agent Detected"; content:"User-Agent"; content: "Mozilla/5.0"; content: "Grendel-Scan"; nocase; content:"http://www.grendel-scan.com"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001863; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Hmap Webserver Fingerprint Scan"; content:"GET"; nocase; content:"HTTP/1.0"; content: "User-Agent"; content: "Mozilla"; content: "4.75 [en] |28|Windows NT 5.0"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001802; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Mini MySqlatOr SQL Injection Scanner"; content:"User-Agent"; content: "prog.CustomCrawler"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001803; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; content: "User-Agent"; content: "Mysqloit"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009882; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001804; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; content: "User-Agent"; content: "Nmap NSE"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:5001805; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; content: "User-Agent"; content: "Mozilla/5.0"; content: "Nmap Scripting Engine"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:5001806; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nessus User Agent"; content:"User-Agent"; nocase; content:"Nessus"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001807; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nessus User Agent"; content: "User-Agent"; nocase; content: "Nessus"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001865; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Netsparker Default User-Agent"; content: "User-Agent"; content: " Netsparker"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.mavitunasecurity.com/communityedition/; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001808; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content:"User-Agent"; content: "Mozilla/4.75 (Nikto"; threshold: type both, count 5, seconds 60, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:5001809; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Nikto Web App Scan in Progress"; content: "User-Agent"; content: "Nikto"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:5001866; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Paros Proxy Scanner Detected"; content: "User-Agent"; content: "Paros"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001810; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Injection Attempt (Agent uil2pn)"; content: "User-Agent"; content: "uil2pn"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; classtype:web-application-attack; sid:5001811; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] SQL Power Injector SQL Injection User Agent Detected"; content: "User-Agent"; content: "SQL Power Injector"; content:"Security tool (Make sure it is used with the administrator consent)"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001812; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Sqlmap SQL Injection Scan"; content: "User-Agent"; content: "sqlmap"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001813; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected"; content: "User-Agent"; content: "Mozilla/5.0 SF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001814; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Skipfish Web Application Scan Detected (2)"; content: "GET"; content: ".old"; content: "User-Agent"; content: "Mozilla/5.0 SF/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001815; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Springenwerk XSS Scanner User-Agent Detected"; content:"User-Agent"; content: "Springenwerk"; nocase; reference:url,springenwerk.org/; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010508; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001816; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Suspicious User-Agent inbound (bot)"; content: "User-Agent"; content: "bot/"; nocase; threshold: type limit, count 3, seconds 300, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:5001817; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Toata Scanner User-Agent Detected"; content: "User-Agent"; content: "Toata dragostea"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001818; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WEB-ATTACKS] Tomcat Web Application Manager scanning"; content: "GET"; nocase; content: "/manager/html"; nocase; content: "User-Agent"; content: "Mozilla/3.0"; content: "Indy Library)"; content: "Authorization"; content: "Basic"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010019; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001819; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner"; content: "User-Agent"; content: "SQL"; nocase; content: "Inject"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001820; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner"; content: "User-Agent"; content: "web"; nocase; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010088; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001821; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Suspicious User-Agent Containing Security Scan/ner, Likely Scan"; content: "User-Agent"; content: "security"; nocase; content:"scan"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010089; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001822; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] w3af User Agent"; content: "User-Agent"; content: "w3af.sourceforge.net"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001823; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] WSFuzzer Web Application Fuzzing"; content: "/ServiceDefinition"; content: "User-Agent"; content: "Python-urllib"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001824; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Wapiti Web Server Vulnerability Scan"; content: "GET"; content: "?http"; content: "//www.google."; nocase; content: "User-Agent"; content: "Python-httplib2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001825; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] WebHack Control Center User-Agent Inbound (WHCC/)"; content: "User-Agent"; content: "WHCC"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; classtype:trojan-activity; sid:5001826; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Open-Proxy ScannerBot (webcollage-UA) "; content:"User-Agent"; content: "webcollage/1.135a"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url, stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:5001827; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] WebShag Web Application Scan Detected"; content: "User-Agent"; content: "webshag"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.scrt.ch/pages_en/outils.html; reference:url,doc.emergingthreats.net/2009158; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001828; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; content: "User-Agent"; content: "WhatWeb"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001829; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] WITOOL SQL Injection Scan"; content: "union+select"; content: "select+user"; content: "User-Agent"; content: "Mozilla/4.0 (compatible"; content: "MSIE 6.0"; content: "Windows NT 5.0"; content: "MyIE2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001830; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] ZmEu exploit scanner"; content: "User-Agent"; content: "Made by ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:5001831; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Possible jBroFuzz Fuzzer Detected"; content: "Host"; content: "localhost"; content:"User-Agent"; content: "Mozilla/5.0 (Windows"; content: "Windows NT 5.1"; content: "en-GB"; content: "Gecko/20061204 Firefox/2.0.0.1"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001832; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Hydra User-Agent"; content: "User-Agent"; content: "Mozilla/4.0 (Hydra)"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,freeworld.thc.org/thc-hydra; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001833; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Inspathx Path Disclosure Scanner User-Agent Detected"; content: "User-Agent"; content: "inspath [path disclosure finder"; threshold:type limit, count 1, seconds 30, track by_src; parse_src_ip: 1; parse_dst_ip: 2; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001834; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Medusa User-Agent"; content: "User-Agent"; content: "Teh Forest Lobster"; nocase; threshold: type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.foofus.net/~jmk/medusa/medusa.html; flowbits: set, recon, 86400;classtype:attempted-recon; sid:5001835; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] DotDotPwn User-Agent"; content: "User-Agent"; content: "DotDotPwn"; nocase; threshold:type limit, track by_src,count 1, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; reference:url,dotdotpwn.sectester.net; flowbits: set, recon, 86400;classtype:attempted-recon; sid:5001836; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Havij SQL Injection Tool User-Agent Inbound"; content: "User-Agent"; content: " Havij"; content: "Connection: "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:5001838; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] OpenVAS User-Agent Inbound"; content: "User-Agent"; content: "OpenVAS"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,openvas.org; flowbits: set, recon, 86400;classtype:attempted-recon; sid:5001839; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] ZmEu Scanner User-Agent Inbound"; content: "User-Agent"; content: "ZmEu"; parse_src_ip: 1; parse_dst_ip: 2; classtype:trojan-activity; sid:5001840; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Internal Dummy Connection User-Agent Inbound"; content: "User-Agent"; content:"(internal dummy connection)"; parse_src_ip: 1; parse_dst_ip: 2; classtype:trojan-activity; sid:5001841; rev:1;) alert tcp any any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] DominoHunter Security Scan in Progress"; content: "User-Agent"; content: "DominoHunter"; nocase; parse_src_ip: 1; parse_dst_ip: 2; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:5001842; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] Vega Web Application Scan"; content: "User-Agent"; content: "Vega"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001843; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] FHScan core User-Agent Detect"; content: "FHScan Core "; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001844; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[WEB-ATTACKS] w3af User-Agent 2"; content: "User-Agent"; content:"w3af.sf.net"; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, recon, 86400; classtype:attempted-recon; sid:5001845; rev:2;) rules/cisco-sdee.rules0000664000175000017500000253165112612177151014266 0ustar champchamp# Sagan cisco-sdee.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Note: You will need a program to convert Cisco IPS events (from the SDEE protocol) to syslog. At Quadrant, # we have developed a program called "qdee" ("Q - Dee"). You'll need something similar. "qdee" is _not_ # a open source project at this time. # # Sorry. # # Contact Champ Clark III for more information (cclark@quadrantsec.com) # # Since these are not "standard" rules, we start the ID's at "6100000". alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPS/IDS License Expiration"; content: "Health Warning"; content: "licenseExpiration"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/6100000; sid: 6100000; rev:1;) # Based off http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId={Sigature ID} alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Bad Option List"; content: "SID: 1000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101000; sid: 6101000; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Record Packet Route"; content: "SID: 1001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101001; sid: 6101001; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Timestamp"; content: "SID: 1002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101002; sid: 6101002; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Provide s,c,h,tcc"; content: "SID: 1003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101003; sid: 6101003; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Loose Source Route"; content: "SID: 1004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101004; sid: 6101004; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-SATNET ID"; content: "SID: 1005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101005; sid: 6101005; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP options-Strict Source Route"; content: "SID: 1006 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101006; sid: 6101006; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 over IPv4 or IPv6"; content: "SID: 1007 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101007; sid: 6101007; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lurk Malware Communication"; content: "SID: 1018 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101018; sid: 6101018; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XShellC601 Malware Communication"; content: "SID: 1019 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101019; sid: 6101019; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BB Malware Communication"; content: "SID: 1020 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101020; sid: 6101020; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Murcy Malware Communication"; content: "SID: 1021 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101021; sid: 6101021; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QDigit Malware Communication"; content: "SID: 1022 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101022; sid: 6101022; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Software Smart Install Denial of Service"; content: "SID: 1027 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101027; sid: 6101027; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BitDefender Internet Security 2009 XSS"; content: "SID: 1028 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101028; sid: 6101028; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iManager Off By One Buffer Overflow"; content: "SID: 1029 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101029; sid: 6101029; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantic IM Manager Administrator Console Code Injection"; content: "SID: 1030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101030; sid: 6101030; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows MPEG Layer-3 Audio Decoder Stack Buffer Overflow"; content: "SID: 1032 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101032; sid: 6101032; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Slowloris Exploit"; content: "SID: 1034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101034; sid: 6101034; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Microsoft DNS server Denial of Service Vulnerability"; content: "SID: 1038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101038; sid: 6101038; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability"; content: "SID: 1039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101039; sid: 6101039; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNSChanger Malware"; content: "SID: 1040 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101040; sid: 6101040; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Shellcode Encoder"; content: "SID: 1044 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101044; sid: 6101044; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Novell GroupWise Internet Agent HTTP Request Remote Code Execution"; content: "SID: 1051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101051; sid: 6101051; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe PDF Remote Code Execution"; content: "SID: 1052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101052; sid: 6101052; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco WebEx WRF File Buffer Overflow"; content: "SID: 1055 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101055; sid: 6101055; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Corehttp Httpd Buffer Overflow"; content: "SID: 1056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101056; sid: 6101056; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow"; content: "SID: 1057 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101057; sid: 6101057; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco Webex WRF File Buffer Overflow"; content: "SID: 1058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101058; sid: 6101058; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] IIS Hit-Highlighting Authentication Bypass"; content: "SID: 1059 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101059; sid: 6101059; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Apache auth_ldap Format String"; content: "SID: 1060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101060; sid: 6101060; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg: "[CISCO-SDEE] Windows Active Directory LDAP Remote Code Execution"; content: "SID: 1062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101062; sid: 6101062; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] BIND 8 TSIG Remote Code Execution"; content: "SID: 1063 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101063; sid: 6101063; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor Backup Products Tape Engine Service RPC Request Arbitrary Code Execution Vulnerability"; content: "SID: 1067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101067; sid: 6101067; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $PPTP_PORT (msg: "[CISCO-SDEE] Microsoft Windows PPTP Denial of Service"; content: "SID: 1069 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101069; sid: 6101069; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] IBM Tivoli Directory Server 6.0 Denial Of Service"; content: "SID: 1076 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101076; sid: 6101076; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] PHP File Upload GLOBAL Variable Overwrite"; content: "SID: 1077 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101077; sid: 6101077; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix RTSP SETUP Request Denial Of Service"; content: "SID: 1079 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101079; sid: 6101079; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Informix Long Username Buffer Overflow"; content: "SID: 1080 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101080; sid: 6101080; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Libevent DNS Parsing Denial Of Service"; content: "SID: 1081 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101081; sid: 6101081; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Libevent DNS Parsing Denial Of Service"; content: "SID: 1082 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101082; sid: 6101082; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Plug and Play Overflow"; content: "SID: 1083 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101083; sid: 6101083; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco IOS HTTP Server Vulnerability"; content: "SID: 1085 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101085; sid: 6101085; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle OPMN daemon Format String Denial Of Service"; content: "SID: 1086 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101086; sid: 6101086; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[CISCO-SDEE] Oracle XDB FTP Buffer Overflow"; content: "SID: 1088 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101088; sid: 6101088; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SAP Message Server Group Parameter Remote Buffer Overflow"; content: "SID: 1089 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101089; sid: 6101089; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $NTP_PORT (msg: "[CISCO-SDEE] NTP MODE_PRIVATE Denial of Service"; content: "SID: 1090 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101090; sid: 6101090; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSwan and StrongSwan DPD Packet Remote DoS"; content: "SID: 1091 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101091; sid: 6101091; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Measuresoft ScadaPro Command Injection"; content: "SID: 1096 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101096; sid: 6101096; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Buffer Overflow"; content: "SID: 1097 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101097; sid: 6101097; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Denial of Service"; content: "SID: 1099 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101099; sid: 6101099; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unknown IP Protocol"; content: "SID: 1101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101101; sid: 6101101; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Impossible IP Packet"; content: "SID: 1102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101102; sid: 6101102; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Localhost Source Spoof"; content: "SID: 1104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101104; sid: 6101104; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Denial of Service"; content: "SID: 1105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101105; sid: 6101105; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsys PROMOTIC ActiveX SaveCfg AddTrend Buffer Overflow"; content: "SID: 1106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101106; sid: 6101106; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RFC 1918 Addresses Seen"; content: "SID: 1107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101107; sid: 6101107; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Packet with Proto 11"; content: "SID: 1108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101108; sid: 6101108; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Interface DoS"; content: "SID: 1109 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101109; sid: 6101109; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Siemens FactoryLink Arbitrary Files Access and Denial of Service"; content: "SID: 1121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101121; sid: 6101121; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenOffice Remote Code Execution"; content: "SID: 1122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101122; sid: 6101122; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft RPC DCOM ISystemActivator Buffer Overflow"; content: "SID: 1124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101124; sid: 6101124; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WellinTech Kingview Buffer Overflow"; content: "SID: 1126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101126; sid: 6101126; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS ISAKMP Vulnerability"; content: "SID: 1127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101127; sid: 6101127; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft RRAS Service Overflow"; content: "SID: 1128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101128; sid: 6101128; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer VML Remote Code Execution"; content: "SID: 1129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101129; sid: 6101129; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Malicous Signed Portable Executable File"; content: "SID: 1130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101130; sid: 6101130; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft MSCOMCTL ActiveX Control Remote Code Execution Vulnerability"; content: "SID: 1131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101131; sid: 6101131; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE OnReadyStateChange Remote Code Execution"; content: "SID: 1132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101132; sid: 6101132; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE SelectAll Remote Code Execution"; content: "SID: 1134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101134; sid: 6101134; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Parameter Validation Vulnerability"; content: "SID: 1135 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101135; sid: 6101135; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works Remote Code Execution"; content: "SID: 1136 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101136; sid: 6101136; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Livemesh Application"; content: "SID: 1137 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101137; sid: 6101137; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer VML Use After Free"; content: "SID: 1138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101138; sid: 6101138; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba Marshalling Code Remote Code Execution Vulnerability"; content: "SID: 1140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101140; sid: 6101140; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Javascript Obfuscation Code Fragment"; content: "SID: 1142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101142; sid: 6101142; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectX NULL Byte Overwrite Vulnerability"; content: "SID: 1143 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101143; sid: 6101143; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Publisher 2007 Remote Code Execution"; content: "SID: 1144 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101144; sid: 6101144; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office PowerPoint Remote Code Execution Vulnerability"; content: "SID: 1152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101152; sid: 6101152; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel 2003 Denial of Service Vulnerability"; content: "SID: 1155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101155; sid: 6101155; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Outlook Remote Code Execution"; content: "SID: 1157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101157; sid: 6101157; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Apache 2.0 Encoded Backslash Directory Traversal Vulnerability"; content: "SID: 1166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101166; sid: 6101166; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic Alphanumeric Generated Email Address"; content: "SID: 1169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101169; sid: 6101169; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Shellcode Encoder"; content: "SID: 1173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101173; sid: 6101173; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visio Viewer Remote Code Execution"; content: "SID: 1182 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101182; sid: 6101182; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word RTF Heap Overrun"; content: "SID: 1183 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101183; sid: 6101183; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Reader Buffer Overflow"; content: "SID: 1184 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101184; sid: 6101184; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Serialization Vulnerability"; content: "SID: 1185 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101185; sid: 6101185; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Memory Corruption"; content: "SID: 1186 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101186; sid: 6101186; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI Plus Heap Overflow Vulnerability"; content: "SID: 1187 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101187; sid: 6101187; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Vulnerability"; content: "SID: 1188 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101188; sid: 6101188; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel MergeCells Record Heap Overflow"; content: "SID: 1189 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101189; sid: 6101189; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash Player newfunction Buffer Overflow"; content: "SID: 1190 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101190; sid: 6101190; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Memory Corruption Vulnerability"; content: "SID: 1191 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101191; sid: 6101191; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Remote Code Execution"; content: "SID: 1192 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101192; sid: 6101192; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Remote Code Execution"; content: "SID: 1193 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101193; sid: 6101193; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI Remote Code Execution Vulnerability"; content: "SID: 1194 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101194; sid: 6101194; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft TrueType Font Parsing Vulnerability"; content: "SID: 1195 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101195; sid: 6101195; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability"; content: "SID: 1196 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101196; sid: 6101196; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel File Format Memory Corruption Vulnerability"; content: "SID: 1197 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101197; sid: 6101197; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragmentation Buffer Full"; content: "SID: 1200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101200; sid: 6101200; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Overlap"; content: "SID: 1201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101201; sid: 6101201; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Overrun - Datagram Too Long"; content: "SID: 1202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101202; sid: 6101202; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Overwrite - Data is Overwritten"; content: "SID: 1203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101203; sid: 6101203; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Missing Initial Fragment"; content: "SID: 1204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101204; sid: 6101204; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Too Many Datagrams"; content: "SID: 1205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101205; sid: 6101205; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Too Small"; content: "SID: 1206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101206; sid: 6101206; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Too Many Fragments in a Datagram"; content: "SID: 1207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101207; sid: 6101207; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IP Fragment Incomplete Datagram"; content: "SID: 1208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101208; sid: 6101208; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Object Packager Remote Code Execution Vulnerability"; content: "SID: 1210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101210; sid: 6101210; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Spyeye Trojan Toolkit"; content: "SID: 1212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101212; sid: 6101212; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Deflate Encoding Memory Corruption"; content: "SID: 1213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101213; sid: 6101213; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption"; content: "SID: 1218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101218; sid: 6101218; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jolt2 Fragment Reassembly DoS attack"; content: "SID: 1220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101220; sid: 6101220; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server DBMS_CDC_PUBLISH SQL Injection"; content: "SID: 1221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101221; sid: 6101221; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragment Flags Invalid"; content: "SID: 1225 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101225; sid: 6101225; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Packet Bad Length"; content: "SID: 1250 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101250; sid: 6101250; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flame Malware"; content: "SID: 1256 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101256; sid: 6101256; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1258 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101258; sid: 6101258; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS Internet Explorer 9 Use After Free"; content: "SID: 1261 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101261; sid: 6101261; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Unauthorized Digital Certificates"; content: "SID: 1263 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101263; sid: 6101263; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Leak"; content: "SID: 1265 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101265; sid: 6101265; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1268 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101268; sid: 6101268; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Title Element Change Remote Code Execution"; content: "SID: 1270 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101270; sid: 6101270; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft insertAdjacentText Remote Code Execution"; content: "SID: 1271 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101271; sid: 6101271; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Developer Toolbar Vulnerability"; content: "SID: 1272 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101272; sid: 6101272; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer 8 Memory Corruption Vulnerability"; content: "SID: 1273 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101273; sid: 6101273; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Memory Access Vulnerability"; content: "SID: 1274 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101274; sid: 6101274; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Dynamics AX Enterprise Portal Elevation of Privilege"; content: "SID: 1275 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101275; sid: 6101275; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer OnBeforeDeactivate Event Remote Code Execution"; content: "SID: 1276 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101276; sid: 6101276; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1277 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101277; sid: 6101277; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer and Lync HTML Sanitization Cross-Site Scripting"; content: "SID: 1279 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101279; sid: 6101279; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft XML Core Services Remote Code Execution"; content: "SID: 1281 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101281; sid: 6101281; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player WRF File Heap Overflow"; content: "SID: 1283 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101283; sid: 6101283; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player WRF File Buffer Overflow"; content: "SID: 1284 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101284; sid: 6101284; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Stop Service Code"; content: "SID: 1285 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101285; sid: 6101285; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Reset Service Code"; content: "SID: 1287 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101287; sid: 6101287; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TelePresence Recording Server Media Import Command Injection"; content: "SID: 1288 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101288; sid: 6101288; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix boot code dump"; content: "SID: 1289 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101289; sid: 6101289; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Denial of Service"; content: "SID: 1290 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101290; sid: 6101290; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Firmware Update"; content: "SID: 1291 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101291; sid: 6101291; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Denial of Service"; content: "SID: 1292 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101292; sid: 6101292; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rockwell ControlLogix Denial of Service"; content: "SID: 1293 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101293; sid: 6101293; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Groupwise Messenger Server Information Leakage"; content: "SID: 1295 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101295; sid: 6101295; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Webex WRF JPEG DHT Chunk Stack Buffer Overflow"; content: "SID: 1296 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101296; sid: 6101296; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Enumeration Information Disclosure"; content: "SID: 1298 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101298; sid: 6101298; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Segment Overwrite"; content: "SID: 1300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101300; sid: 6101300; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Inactivity Timeout"; content: "SID: 1301 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101301; sid: 6101301; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Embryonic Timeout"; content: "SID: 1302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101302; sid: 6101302; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Closing Timeout"; content: "SID: 1303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101303; sid: 6101303; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Session Packet Queue Overflow"; content: "SID: 1304 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101304; sid: 6101304; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP URG flag set"; content: "SID: 1305 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101305; sid: 6101305; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Option Other"; content: "SID: 1306 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101306; sid: 6101306; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Window Variation"; content: "SID: 1307 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101307; sid: 6101307; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TTL evasion"; content: "SID: 1308 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101308; sid: 6101308; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Reserved flags set"; content: "SID: 1309 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101309; sid: 6101309; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Retransmit Data Different"; content: "SID: 1310 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101310; sid: 6101310; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Packet Exceeds MSS"; content: "SID: 1311 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101311; sid: 6101311; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP MSS below minimum"; content: "SID: 1312 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101312; sid: 6101312; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP MSS exceeds maximum"; content: "SID: 1313 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101313; sid: 6101313; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN Packet With Data"; content: "SID: 1314 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101314; sid: 6101314; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ACK w/o TCP Stream"; content: "SID: 1315 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101315; sid: 6101315; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FIN or RST w/o TCP Stream"; content: "SID: 1316 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101316; sid: 6101316; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Zero Window Probe"; content: "SID: 1317 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101317; sid: 6101317; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SharePoint Reflected List Parameter Vulnerability"; content: "SID: 1326 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101326; sid: 6101326; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Microsoft IIS Stack Exhaustion DoS"; content: "SID: 1328 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101328; sid: 6101328; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer 9 Cached Object Remote Code Execution"; content: "SID: 1329 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101329; sid: 6101329; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Drop - Bad Checksum"; content: "SID: 1330 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101330; sid: 6101330; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1331 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101331; sid: 6101331; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Registered Application Handler Vulnerability"; content: "SID: 1333 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101333; sid: 6101333; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows ADO Heap Overflow"; content: "SID: 1334 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101334; sid: 6101334; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Sharepoint Cross Site Scripting Attack"; content: "SID: 1335 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101335; sid: 6101335; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Telepresence Command Injection Vulnerability"; content: "SID: 1338 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101338; sid: 6101338; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Joomla 1.5.12 TinyBrowser File Upload Code Execution"; content: "SID: 1341 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101341; sid: 6101341; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Common Services Framework Help Servlet XSS Vulnerability"; content: "SID: 1343 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101343; sid: 6101343; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS BGP Malformed Attribute Denial of Service"; content: "SID: 1346 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101346; sid: 6101346; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Skype Call Activity"; content: "SID: 1347 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101347; sid: 6101347; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Javascript Trojan Iframe.F"; content: "SID: 1349 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101349; sid: 6101349; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visio Viewer Code Execution Vulnerability"; content: "SID: 1350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101350; sid: 6101350; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Web Gateway Remote Command Execution"; content: "SID: 1353 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101353; sid: 6101353; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player URL Security Domain Checking Vulnerability"; content: "SID: 1356 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101356; sid: 6101356; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Shockwave Buffer Overflow"; content: "SID: 1358 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101358; sid: 6101358; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Domino Server Controller Authentication Bypass"; content: "SID: 1360 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101360; sid: 6101360; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Remote Administration Protocol Read Access Violation Vulnerability"; content: "SID: 1364 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101364; sid: 6101364; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle WebCenter ActiveX Control File Creation Vulnerability"; content: "SID: 1366 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101366; sid: 6101366; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1367 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101367; sid: 6101367; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime JPEG2000 Integer Overflow"; content: "SID: 1369 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101369; sid: 6101369; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FFmpeg 4xm Null Pointer Memory Corruption"; content: "SID: 1370 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101370; sid: 6101370; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Integer Overflow Remote Code Execution"; content: "SID: 1371 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101371; sid: 6101371; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Asynchronous NULL Object Access Remote Code Execution"; content: "SID: 1372 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101372; sid: 6101372; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player MP4 File Memory Corruption Vulnerability"; content: "SID: 1373 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101373; sid: 6101373; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro ServerProtect EarthAgent RPC Buffer Overflow Vulnerability"; content: "SID: 1374 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101374; sid: 6101374; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari WebKit Memory Corruption Vulnerability"; content: "SID: 1376 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101376; sid: 6101376; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Chrome and Apple Safari Use After Free Vulnerability"; content: "SID: 1377 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101377; sid: 6101377; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visio Memory Corruption"; content: "SID: 1378 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101378; sid: 6101378; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Remote Desktop Protocol Vulnerability"; content: "SID: 1379 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101379; sid: 6101379; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSCOMCTL ActiveX Control Remote Code Execution Vulnerability"; content: "SID: 1380 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101380; sid: 6101380; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Networking Vulnerability"; content: "SID: 1381 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101381; sid: 6101381; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Print Spooler Service Format String Vulnerability"; content: "SID: 1382 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101382; sid: 6101382; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Remote Administration Protocol Heap Overflow"; content: "SID: 1384 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101384; sid: 6101384; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows IE Layout Memory Corruption"; content: "SID: 1385 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101385; sid: 6101385; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Reader Stack Buffer Overflow Vulnerability"; content: "SID: 1386 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101386; sid: 6101386; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Arbitrary Code Execution"; content: "SID: 1387 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101387; sid: 6101387; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL CMS Structure OriginatorInfo Memory Corruption"; content: "SID: 1388 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101388; sid: 6101388; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Database Archiving Software GIOP Parsing Buffer Overflow"; content: "SID: 1389 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101389; sid: 6101389; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Denial of Service"; content: "SID: 1393 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101393; sid: 6101393; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Linksys PlayerPT ActiveX Control Stack Overflow"; content: "SID: 1394 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101394; sid: 6101394; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player MP4 Sequence Parameter Set Parsing Buffer Overflow"; content: "SID: 1395 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101395; sid: 6101395; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visual Studio Cross Site Scripting (XSS) Vulnerability"; content: "SID: 1396 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101396; sid: 6101396; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Array.reduceRight Integer Overflow Vulnerability"; content: "SID: 1397 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101397; sid: 6101397; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Outlook Web Access Cross Site Request Forgery Vulnerability"; content: "SID: 1398 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101398; sid: 6101398; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA Total Defense Suite Information Disclosure Vulnerability"; content: "SID: 1399 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101399; sid: 6101399; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GRE Over IPv6 Encapsulation"; content: "SID: 1400 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101400; sid: 6101400; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPIP Encapsulation"; content: "SID: 1401 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101401; sid: 6101401; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MPLS Over IPv6 Encapsulation"; content: "SID: 1402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101402; sid: 6101402; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv4 Over IPv6 Encapsulation"; content: "SID: 1403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101403; sid: 6101403; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Shockwave PAMI Chunk Remote Code Execution"; content: "SID: 1404 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101404; sid: 6101404; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Destination IP Address"; content: "SID: 1405 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101405; sid: 6101405; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Source Port"; content: "SID: 1406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101406; sid: 6101406; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Destination Port"; content: "SID: 1407 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101407; sid: 6101407; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Teredo Data Packet"; content: "SID: 1408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101408; sid: 6101408; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GRE Tunnel Detected"; content: "SID: 1409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101409; sid: 6101409; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Over MPLS Tunnel"; content: "SID: 1410 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101410; sid: 6101410; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Unsolicited Response Storm"; content: "SID: 1414 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101414; sid: 6101414; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Non-DNP3 Communication on a DNP3 Port"; content: "SID: 1415 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101415; sid: 6101415; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Last Received Was A Broadcast Message"; content: "SID: 1417 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101417; sid: 6101417; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java 7 Applet Remote Code Execution Vulnerability"; content: "SID: 1421 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101421; sid: 6101421; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Time Synchronization Required"; content: "SID: 1422 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101422; sid: 6101422; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Device Under Local Control"; content: "SID: 1423 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101423; sid: 6101423; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Device In Trouble"; content: "SID: 1424 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101424; sid: 6101424; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Attempt To Use Unsupported Function Code"; content: "SID: 1425 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101425; sid: 6101425; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Request Object Unknown Or Errors In Application Data"; content: "SID: 1426 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101426; sid: 6101426; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Parameters Out Of Range"; content: "SID: 1427 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101427; sid: 6101427; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Event Buffer Overflow"; content: "SID: 1428 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101428; sid: 6101428; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Already Executing Request"; content: "SID: 1429 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101429; sid: 6101429; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Corrupt Configuration Error"; content: "SID: 1430 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101430; sid: 6101430; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Invalid Reserved IIN Flags Set"; content: "SID: 1431 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101431; sid: 6101431; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Active Configuration"; content: "SID: 1432 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101432; sid: 6101432; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Request"; content: "SID: 1433 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101433; sid: 6101433; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Reply"; content: "SID: 1434 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101434; sid: 6101434; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Error"; content: "SID: 1435 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101435; sid: 6101435; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Authentication Response Or Authentication Challenge"; content: "SID: 1436 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101436; sid: 6101436; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Challenge"; content: "SID: 1437 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101437; sid: 6101437; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Unsolicited Authentication Response Storm"; content: "SID: 1438 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101438; sid: 6101438; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Advanced DNP3 - Device Restarted"; content: "SID: 1439 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101439; sid: 6101439; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Shamoon Malware Activity"; content: "SID: 1441 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101441; sid: 6101441; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visual Studio Team Web Access XSS Vulnerability"; content: "SID: 1442 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101442; sid: 6101442; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft System Center Configuration Manager Reflected XSS"; content: "SID: 1444 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101444; sid: 6101444; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Reader Memory Corruption"; content: "SID: 1445 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101445; sid: 6101445; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BaoFeng Storm ActiveX Control Buffer Overflow Vulnerability"; content: "SID: 1446 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101446; sid: 6101446; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ganglia Stack Buffer Overflow Vulnerability"; content: "SID: 1447 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101447; sid: 6101447; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Player Player Heap Buffer Overflow Vulnerability"; content: "SID: 1451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101451; sid: 6101451; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Reader Memory Corruption Vulnerability"; content: "SID: 1455 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101455; sid: 6101455; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Fusion Middleware Outside In Excel File Parsing Integer Overflow"; content: "SID: 1459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101459; sid: 6101459; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenLDAP Modrdn Memory Corruption Vulnerability"; content: "SID: 1460 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101460; sid: 6101460; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DATAC Control RealWin SCADA Server Buffer Overflow Vulnerability"; content: "SID: 1461 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101461; sid: 6101461; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks Helix Universal Server Buffer Overflow"; content: "SID: 1462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101462; sid: 6101462; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DD-WRT Arbitrary Shell Command Execution Vulnerability"; content: "SID: 1464 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101464; sid: 6101464; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer execCommand Vulnerability"; content: "SID: 1466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101466; sid: 6101466; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EMC NetWorker Format String Vulnerability"; content: "SID: 1468 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101468; sid: 6101468; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Visio Object Processing Vulnerability"; content: "SID: 1469 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101469; sid: 6101469; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox and SeaMonkey Remote Cross-Site Scripting Vulnerability"; content: "SID: 1470 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101470; sid: 6101470; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability"; content: "SID: 1471 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101471; sid: 6101471; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Embedded OpenType Font Processing Heap Overflow Vulnerability"; content: "SID: 1472 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101472; sid: 6101472; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XDP Encoded PDF File Transfer"; content: "SID: 1474 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101474; sid: 6101474; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webex Player Heap Overflow"; content: "SID: 1475 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101475; sid: 6101475; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ASA and FWSM DCERPC Inspection DoS"; content: "SID: 1476 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101476; sid: 6101476; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ASA PIX Denial of Service"; content: "SID: 1478 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101478; sid: 6101478; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability"; content: "SID: 1480 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101480; sid: 6101480; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer cloneNode Remote Code Execution"; content: "SID: 1481 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101481; sid: 6101481; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Document Layout Processing Use-After-Free Vulnerability"; content: "SID: 1482 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101482; sid: 6101482; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer 9 Event Listener Remote Code Execution"; content: "SID: 1483 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101483; sid: 6101483; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Recording Format Player Buffer Overflow"; content: "SID: 1487 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101487; sid: 6101487; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CISCO ASA DCERPC Inspection Denial Of Service"; content: "SID: 1492 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101492; sid: 6101492; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Distributed Denial of Service on Financial Institutions"; content: "SID: 1493 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101493; sid: 6101493; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx Recording Format Player Overflow"; content: "SID: 1494 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101494; sid: 6101494; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Remote Code Execution"; content: "SID: 1495 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101495; sid: 6101495; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works 9 Remote Code Execution Vulnerability"; content: "SID: 1496 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101496; sid: 6101496; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption"; content: "SID: 1497 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101497; sid: 6101497; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server Report Manager Reflected Cross Site Scripting Vulnerability"; content: "SID: 1498 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101498; sid: 6101498; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word PAPX Section Processing Arbitrary Code Execution Vulnerability"; content: "SID: 1501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101501; sid: 6101501; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Response-Splitting Protection Bypass"; content: "SID: 1503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101503; sid: 6101503; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WebEx WRF Player Memory Corruption"; content: "SID: 1504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101504; sid: 6101504; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks Helix Server RTSP SETUP Stack Buffer Overflow"; content: "SID: 1507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101507; sid: 6101507; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ImageMagick ResolutionUnit Tag Invalid Validation Denial of Service Vulnerability"; content: "SID: 1508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101508; sid: 6101508; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office TIFF Image Converter Memory Corruption"; content: "SID: 1511 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101511; sid: 6101511; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Easy Printer Care HPTicketMgr.dll ActiveX Remote Code Execution"; content: "SID: 1512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101512; sid: 6101512; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe SWF Remote Code Execution"; content: "SID: 1513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101513; sid: 6101513; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe SWF Remote Code Execution"; content: "SID: 1514 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101514; sid: 6101514; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Invalid Function Code Is Used"; content: "SID: 1520 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101520; sid: 6101520; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Reserved Function Code Used"; content: "SID: 1524 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101524; sid: 6101524; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe SWF Remote Code Execution"; content: "SID: 1528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101528; sid: 6101528; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Chrome and Apple Safari Use-After-Free Code Execution"; content: "SID: 1532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101532; sid: 6101532; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EMC NetWorker Buffer Overflow"; content: "SID: 1534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101534; sid: 6101534; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exim Mail Transfer Agent Arbitrary Code Execution Vulnerability"; content: "SID: 1535 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101535; sid: 6101535; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat PDF Font Processing Memory Corruption"; content: "SID: 1536 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101536; sid: 6101536; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Outside In JPEG 2000 Heap Buffer Overflow"; content: "SID: 1537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101537; sid: 6101537; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Unified MeetingPlace Web Conferencing Buffer Overflow"; content: "SID: 1538 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101538; sid: 6101538; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Hyperion Strategic Finance Client Heap Buffer Overflow"; content: "SID: 1540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101540; sid: 6101540; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Reader Code Execution"; content: "SID: 1545 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101545; sid: 6101545; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] H3C and Huawei SNMP Access Control Vulnerability"; content: "SID: 1546 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101546; sid: 6101546; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Word 2010 Stack Overflow"; content: "SID: 1547 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101547; sid: 6101547; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Picture Manager Memory Corruption"; content: "SID: 1548 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101548; sid: 6101548; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Netware XNFS.NLM xdrDecodeString Heap Buffer Overflow"; content: "SID: 1550 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101550; sid: 6101550; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox SVGTextElement.getCharNumAtPositio Use-After-Free"; content: "SID: 1555 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101555; sid: 6101555; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Intelligent Management Center Multiple Remote Code Execution"; content: "SID: 1556 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101556; sid: 6101556; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Notes URL Handler Vulnerability"; content: "SID: 1563 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101563; sid: 6101563; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Cross Domain Bypass"; content: "SID: 1564 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101564; sid: 6101564; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell ZENworks Asset Management Web Console Information Disclosure"; content: "SID: 1565 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101565; sid: 6101565; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Vista Speech Recognition ActiveX Vulnerabilities"; content: "SID: 1566 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101566; sid: 6101566; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP StorageWorks P4000 Virtual SAN Appliance Command Execution Vulnerability"; content: "SID: 1569 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101569; sid: 6101569; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple iCloud Traffic"; content: "SID: 1570 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101570; sid: 6101570; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell File Reporter Buffer Overflow"; content: "SID: 1571 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101571; sid: 6101571; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Operations Agent for NonStop Server HEALTH Packet Parsing Stack Buffer"; content: "SID: 1572 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101572; sid: 6101572; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Shockwave ActiveX SwDir.dll Stack Buffer Overflow"; content: "SID: 1573 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101573; sid: 6101573; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VMWare ActiveX Remote Code Execution"; content: "SID: 1574 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101574; sid: 6101574; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iPrint Client ActiveX Remote Code Execution"; content: "SID: 1575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101575; sid: 6101575; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asterisk SIP Channel Driver Denial of Service"; content: "SID: 1577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101577; sid: 6101577; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTPD32 Format String Vulnerability"; content: "SID: 1578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101578; sid: 6101578; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asterisk SIP INVITE Denial of Service"; content: "SID: 1579 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101579; sid: 6101579; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Shockwave Player Director Record Parsing Remote Code Execution"; content: "SID: 1580 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101580; sid: 6101580; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Explorer Code Execution"; content: "SID: 1584 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101584; sid: 6101584; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Explorer Code Execution"; content: "SID: 1585 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101585; sid: 6101585; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VLC Media Player Code Execution"; content: "SID: 1586 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101586; sid: 6101586; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows File Enumeration Memory Corruption Vulnerability"; content: "SID: 1587 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101587; sid: 6101587; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Stack Overflow Code Execution"; content: "SID: 1588 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101588; sid: 6101588; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Invalid Length Use After Free"; content: "SID: 1589 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101589; sid: 6101589; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability"; content: "SID: 1591 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101591; sid: 6101591; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Remote Code Execution Vulnerability"; content: "SID: 1593 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101593; sid: 6101593; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asterisk Skinny Channel Driver Capabilities_Res_Message Denial of Service"; content: "SID: 1595 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101595; sid: 6101595; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CFormElement Use After Free Vulnerability"; content: "SID: 1596 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101596; sid: 6101596; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Web Proxy Auto-Discovery Arbitrary Code Execution"; content: "SID: 1597 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101597; sid: 6101597; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Business Intelligence Enterprise Edition Cross Site Scripting"; content: "SID: 1598 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101598; sid: 6101598; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 zero length option"; content: "SID: 1600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101600; sid: 6101600; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 1 violation"; content: "SID: 1601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101601; sid: 6101601; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 2 violation"; content: "SID: 1602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101602; sid: 6101602; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 3 violation"; content: "SID: 1603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101603; sid: 6101603; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 4 violation"; content: "SID: 1604 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101604; sid: 6101604; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 option type 5 violation"; content: "SID: 1605 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101605; sid: 6101605; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 short option data"; content: "SID: 1606 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101606; sid: 6101606; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 multi-crafted fragments"; content: "SID: 1607 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101607; sid: 6101607; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CTreePos Element Use After Free Vulnerability"; content: "SID: 1608 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101608; sid: 6101608; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Code Access Information Disclosure"; content: "SID: 1609 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101609; sid: 6101609; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Echo Request"; content: "SID: 1610 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101610; sid: 6101610; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Echo Reply"; content: "SID: 1611 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101611; sid: 6101611; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Destination Unreachable"; content: "SID: 1612 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101612; sid: 6101612; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Packet Too Big Message"; content: "SID: 1613 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101613; sid: 6101613; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Time Exceeded Message"; content: "SID: 1614 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101614; sid: 6101614; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Parameter Problem Message"; content: "SID: 1615 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101615; sid: 6101615; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Group Membership Query"; content: "SID: 1616 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101616; sid: 6101616; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Group Membership Report"; content: "SID: 1617 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101617; sid: 6101617; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Membership Reduction"; content: "SID: 1618 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101618; sid: 6101618; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Router Solicitation"; content: "SID: 1619 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101619; sid: 6101619; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Router Advertisement"; content: "SID: 1620 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101620; sid: 6101620; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Neighbor Solicitation"; content: "SID: 1621 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101621; sid: 6101621; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Neighbor Advertisement"; content: "SID: 1622 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101622; sid: 6101622; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Redirect"; content: "SID: 1623 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101623; sid: 6101623; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Router Renumbering"; content: "SID: 1624 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101624; sid: 6101624; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Membership Report V2"; content: "SID: 1625 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101625; sid: 6101625; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large ICMPV6 Traffic"; content: "SID: 1626 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101626; sid: 6101626; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented ICMPv6 Traffic"; content: "SID: 1627 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101627; sid: 6101627; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Traffic over IPv4"; content: "SID: 1628 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101628; sid: 6101628; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Traffic over IPv6"; content: "SID: 1629 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101629; sid: 6101629; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMPv6 Packet Too Big"; content: "SID: 1630 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101630; sid: 6101630; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework Reflection Bypass Vulnerability"; content: "SID: 1631 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101631; sid: 6101631; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Unix CUPS HTTP GET Denial Of Service"; content: "SID: 1632 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101632; sid: 6101632; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bootpd 2.4.3 Buffer Overflow"; content: "SID: 1635 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101635; sid: 6101635; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox 1.0.7 InstallTrigger.Install Remote Code Execution"; content: "SID: 1636 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101636; sid: 6101636; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Javascript Engine Overflow"; content: "SID: 1637 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101637; sid: 6101637; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox CSS Layout Memory Corruption"; content: "SID: 1638 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101638; sid: 6101638; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Use After Free Vulnerability"; content: "SID: 1641 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101641; sid: 6101641; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Kernel-Mode Driver Remote Code Execution"; content: "SID: 1642 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101642; sid: 6101642; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari Out of Bounds Access Denial of Service"; content: "SID: 1643 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101643; sid: 6101643; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Java Applet Payload Creation"; content: "SID: 1646 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101646; sid: 6101646; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Internet Agent RRULE Weekday Parsing Buffer Overflow"; content: "SID: 1653 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101653; sid: 6101653; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PNG Embedded File Type"; content: "SID: 1654 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101654; sid: 6101654; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player ActionScript callMethod Code Execution"; content: "SID: 1664 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101664; sid: 6101664; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Secure Backup Server Command Execution Vulnerability"; content: "SID: 1671 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101671; sid: 6101671; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Open Type Font Parsing Vulnerability"; content: "SID: 1681 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101681; sid: 6101681; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE Improper Ref Counting Use After Free Vulnerability"; content: "SID: 1683 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101683; sid: 6101683; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GXV-3000 SIP Phone Eavesdropping Exploit"; content: "SID: 1693 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101693; sid: 6101693; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xitami Web Server Buffer Overflow"; content: "SID: 1694 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101694; sid: 6101694; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Root Access"; content: "SID: 1695 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101695; sid: 6101695; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Guest Access"; content: "SID: 1696 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101696; sid: 6101696; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Nobody Access"; content: "SID: 1697 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101697; sid: 6101697; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Hop-by-Hop Options Present"; content: "SID: 1700 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101700; sid: 6101700; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Present"; content: "SID: 1702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101702; sid: 6101702; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Fragmented Traffic"; content: "SID: 1703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101703; sid: 6101703; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Authentication Header Present"; content: "SID: 1704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101704; sid: 6101704; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 ESP Header Present"; content: "SID: 1705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101705; sid: 6101705; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IPv6 Header Traffic Class Field"; content: "SID: 1706 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101706; sid: 6101706; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IPv6 Header Flow Label Field"; content: "SID: 1707 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101707; sid: 6101707; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Header Contains An Invalid Address"; content: "SID: 1708 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101708; sid: 6101708; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Word RTF Document Processing Arbitrary Code Execution Vulnerability"; content: "SID: 1709 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101709; sid: 6101709; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Extensions Headers Out Of Order"; content: "SID: 1710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101710; sid: 6101710; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Duplicate IPv6 Extension Headers"; content: "SID: 1711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101711; sid: 6101711; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Packet Contains Duplicate Src And Dst Address"; content: "SID: 1712 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101712; sid: 6101712; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Header Contains Multicast Source Address"; content: "SID: 1713 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101713; sid: 6101713; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Address Set To localhost"; content: "SID: 1714 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101714; sid: 6101714; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Options Padding Too Long"; content: "SID: 1716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101716; sid: 6101716; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back To Back Padding Options"; content: "SID: 1717 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101717; sid: 6101717; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Option Data Too Short"; content: "SID: 1718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101718; sid: 6101718; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Endpoint Identification Option Set"; content: "SID: 1719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101719; sid: 6101719; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Jumbo Payload Option Set"; content: "SID: 1720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101720; sid: 6101720; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Router Alert Option Set"; content: "SID: 1721 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101721; sid: 6101721; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set"; content: "SID: 1722 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101722; sid: 6101722; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Packet Contains Unassigned Options"; content: "SID: 1723 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101723; sid: 6101723; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Endpoint Identification Option Set"; content: "SID: 1724 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101724; sid: 6101724; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Tunnel Encapsulation Limit Option Set"; content: "SID: 1725 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101725; sid: 6101725; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Invalid Option Set"; content: "SID: 1726 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101726; sid: 6101726; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Router Alert Option Set"; content: "SID: 1727 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101727; sid: 6101727; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Type 0"; content: "SID: 1728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101728; sid: 6101728; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Failure Log XSS"; content: "SID: 1729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101729; sid: 6101729; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Type 1 Routing Header"; content: "SID: 1730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101730; sid: 6101730; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Type 2 Routing Header"; content: "SID: 1731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101731; sid: 6101731; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Type Unknown Type"; content: "SID: 1732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101732; sid: 6101732; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IPv6 Routing Header Length"; content: "SID: 1733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101733; sid: 6101733; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Incomplete"; content: "SID: 1734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101734; sid: 6101734; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Contains Invalid IP Address"; content: "SID: 1735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101735; sid: 6101735; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Contains A Loop"; content: "SID: 1736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101736; sid: 6101736; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Routing Header Reserved Bits Set"; content: "SID: 1737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101737; sid: 6101737; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Unnecessary Fragment Header"; content: "SID: 1738 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101738; sid: 6101738; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Illegal Fragmentation"; content: "SID: 1739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101739; sid: 6101739; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Small IPv6 Fragments"; content: "SID: 1740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101740; sid: 6101740; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 Fragment Header Reserved Bits Set"; content: "SID: 1741 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101741; sid: 6101741; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPv6 No Next Header Option Present"; content: "SID: 1742 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101742; sid: 6101742; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP phpinfo() Cross-Site Scripting Vulnerability"; content: "SID: 1743 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101743; sid: 6101743; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Database Privilege Escalation"; content: "SID: 1747 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101747; sid: 6101747; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Peercast Basic Authentication Overflow"; content: "SID: 1749 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101749; sid: 6101749; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] PHP zip URL Wrapper Buffer Overflow (HTTP)"; content: "SID: 1755 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101755; sid: 6101755; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Axigen POP3 Server Remote Format String Attack"; content: "SID: 1756 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101756; sid: 6101756; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] VLC HTTPD Format String Bug"; content: "SID: 1758 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101758; sid: 6101758; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Solaris RWall Daemon Syslog Format String Vulnerability"; content: "SID: 1760 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101760; sid: 6101760; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Post File Upload Buffer Overflow"; content: "SID: 1761 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101761; sid: 6101761; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Value Scan"; content: "SID: 1762 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101762; sid: 6101762; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Synergy Clipboard Integer Overflow"; content: "SID: 1773 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101773; sid: 6101773; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet Web Admin Server Command Injection"; content: "SID: 1774 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101774; sid: 6101774; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netware Client Service Buffer Overflow"; content: "SID: 1775 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101775; sid: 6101775; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS 4.0 Information Leaking Vulnerability"; content: "SID: 1777 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101777; sid: 6101777; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS 4.0 Cross Site Scripting Vulnerability"; content: "SID: 1778 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101778; sid: 6101778; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS Server Memory Corruption Vulnerability"; content: "SID: 1780 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101780; sid: 6101780; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nimda Worm TFTP Request"; content: "SID: 1781 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101781; sid: 6101781; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates Total Defense Suite UNCWS SQL Injection"; content: "SID: 1786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101786; sid: 6101786; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Java Remote Compiler Option Loading"; content: "SID: 1787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101787; sid: 6101787; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tom Sawyer GET Extension Factory ActiveX Remote Code Execution"; content: "SID: 1789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101789; sid: 6101789; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft System Center Operations Manager Privilege Escalation"; content: "SID: 1790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101790; sid: 6101790; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HeapLib Instantiation"; content: "SID: 1791 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101791; sid: 6101791; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CButton User After Free"; content: "SID: 1792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101792; sid: 6101792; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET Framework OData Services Denial of Service"; content: "SID: 1793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101793; sid: 6101793; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft XML Core Services Vulnerability"; content: "SID: 1794 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101794; sid: 6101794; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Streamprocess Buffer Overflow"; content: "SID: 1799 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101799; sid: 6101799; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks RealPlayer URL Parsing Stack Buffer Overflow"; content: "SID: 1801 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101801; sid: 6101801; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ruby on Rails Remote Code Execution Vulnerability"; content: "SID: 1802 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101802; sid: 6101802; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Exchange iCal DoS"; content: "SID: 1803 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101803; sid: 6101803; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java 1.7 Update 10 Remote Code Execution"; content: "SID: 1804 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101804; sid: 6101804; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ASA 1000v Cloud Firewall H.323 Inspection Denial of Service"; content: "SID: 1807 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101807; sid: 6101807; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Java Applet Rhino Script Engine Policy Bypass"; content: "SID: 1813 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101813; sid: 6101813; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] x.509 Certificate NULL Byte Name Insertion"; content: "SID: 1814 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101814; sid: 6101814; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] x.509 Certificate Integer Overflow"; content: "SID: 1815 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101815; sid: 6101815; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS IPSLA DoS"; content: "SID: 1819 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101819; sid: 6101819; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quest Software Big Brother Arbitrary File Deletion and Overwriting"; content: "SID: 1820 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101820; sid: 6101820; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid Gopher Parsing Overflow"; content: "SID: 1822 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101822; sid: 6101822; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUPS GIF Parsing Heap Overflow"; content: "SID: 1823 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101823; sid: 6101823; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft .NET XML Signature Syntax and Processing Vulnerability"; content: "SID: 1831 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101831; sid: 6101831; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix XenApp And XenDesktop XML Buffer Overflow"; content: "SID: 1833 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101833; sid: 6101833; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Sunway ForceControl SNMP NetDBServer Buffer Overflow"; content: "SID: 1835 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101835; sid: 6101835; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP JetDirect PJL Interface Universal Path Traversal"; content: "SID: 1836 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101836; sid: 6101836; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML5 Heap Spray"; content: "SID: 1837 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101837; sid: 6101837; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wibu-Systems WibuKey Runtime for Windows ActiveX Control Buffer Overflow"; content: "SID: 1838 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101838; sid: 6101838; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory LDAP Null Search Parameter Overflow"; content: "SID: 1850 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101850; sid: 6101850; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Portable SDK for UPnP Devices Buffer Overflow Vulnerabilities"; content: "SID: 1851 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101851; sid: 6101851; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ruby On Rails Remote Code Execution"; content: "SID: 1853 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101853; sid: 6101853; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Netware XNFS.NLM Remote Code Execution"; content: "SID: 1855 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101855; sid: 6101855; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1857 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101857; sid: 6101857; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OmniInet.exe Buffer Overflow Vulnerability"; content: "SID: 1858 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101858; sid: 6101858; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1862 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101862; sid: 6101862; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability"; content: "SID: 1863 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101863; sid: 6101863; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1864 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101864; sid: 6101864; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Internet Agent Buffer Overflow Vulnerability"; content: "SID: 1865 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101865; sid: 6101865; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox DOM Insertions Memory Corruption"; content: "SID: 1866 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101866; sid: 6101866; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1867 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101867; sid: 6101867; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Vector Markup Language Remote Code Execution"; content: "SID: 1868 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101868; sid: 6101868; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ATA 187 Remote Access Vulnerability"; content: "SID: 1873 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101873; sid: 6101873; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VoipNow Professional Nsextt Parameter XSS Vulnerability"; content: "SID: 1874 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101874; sid: 6101874; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebERP Local File Include Vulnerability"; content: "SID: 1877 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101877; sid: 6101877; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Java Web Console Format String Vulnerability"; content: "SID: 1878 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101878; sid: 6101878; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Elefant CMS ID Parameter Cross Site Scripting Vulnerability"; content: "SID: 1880 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101880; sid: 6101880; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] D-Link DSL-2640B Redpass.Cgi Cross Site Request Forgery Vulnerability"; content: "SID: 1881 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101881; sid: 6101881; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Cross Site Scripting Vulnerability"; content: "SID: 1882 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101882; sid: 6101882; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JW Player Logo.Link Parameter Cross Site Scripting Vulnerability"; content: "SID: 1883 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101883; sid: 6101883; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Count Per Day Plugin Datemin Parameter XSS Vulnerability"; content: "SID: 1885 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101885; sid: 6101885; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Wp-ImageZoom File Parameter Remote File Disclosure Vulnerability"; content: "SID: 1886 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101886; sid: 6101886; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] InduSoft Web Studio Unauthenticated Insecure Remote Operations"; content: "SID: 1892 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101892; sid: 6101892; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bitweaver Highlight Parameter Cross Site Scripting Vulnerability"; content: "SID: 1894 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101894; sid: 6101894; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1895 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101895; sid: 6101895; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XAMPP Cds.Php Cross Site Scripting Vulnerability"; content: "SID: 1896 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101896; sid: 6101896; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nagios XI VisApi.Php Div Parameter XSS Vulnerability"; content: "SID: 1898 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101898; sid: 6101898; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MGB Guestbook Index.Php Cross Site Scripting Vulnerability"; content: "SID: 1899 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101899; sid: 6101899; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Church_Admin Id Parameter XSS Vulnerability"; content: "SID: 1900 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101900; sid: 6101900; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JW Player Playerready Cross Site Scripting Vulnerability"; content: "SID: 1904 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101904; sid: 6101904; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sophos E-Mail Security Virtual Appliance Remote Code Execution Vulnerability"; content: "SID: 1908 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101908; sid: 6101908; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KindEditor Name Parameter Cross Site Scripting Vulnerability"; content: "SID: 1909 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101909; sid: 6101909; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Rich Widget Plugin Arbitrary File Upload Vulnerability"; content: "SID: 1911 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101911; sid: 6101911; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Zenoss ViewDaemonLog Daemon Arbitrary Log File Access Vulnerability"; content: "SID: 1914 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101914; sid: 6101914; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Application Lifecycle Management XGO.ocx Remote Code Execution"; content: "SID: 1920 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101920; sid: 6101920; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ManageEngine Support Center Plus Cross Site Scripting Vulnerability"; content: "SID: 1922 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101922; sid: 6101922; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SilverStripe BackURL Parameter URI Redirection Vulnerability"; content: "SID: 1924 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101924; sid: 6101924; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symphony CMS BluePRINTs URI SQL Injection"; content: "SID: 1925 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101925; sid: 6101925; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress ABC Test Plugin Id Parameter XSS Vulnerability"; content: "SID: 1926 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101926; sid: 6101926; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Crayon Syntax Highlighter Wp_load Remote File Include"; content: "SID: 1927 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101927; sid: 6101927; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lattice Semiconductor Diamond Programmer Buffer Overflow"; content: "SID: 1928 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101928; sid: 6101928; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mcrypt Check File Head Stack Based Buffer Overflow"; content: "SID: 1929 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101929; sid: 6101929; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Cross Site Request Forgery Vulnerability"; content: "SID: 1930 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101930; sid: 6101930; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Newsletter Preview.php File Disclosure Vulnerability"; content: "SID: 1931 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101931; sid: 6101931; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DocXP Fid Parameter Directory Traversal Vulnerability"; content: "SID: 1933 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101933; sid: 6101933; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1937 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101937; sid: 6101937; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1938 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101938; sid: 6101938; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 1939 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101939; sid: 6101939; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explore Remote Code Execution"; content: "SID: 1940 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101940; sid: 6101940; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1941 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101941; sid: 6101941; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Cross Site Scripting"; content: "SID: 1942 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101942; sid: 6101942; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Outside In CorelDRAW File Parser Heap Buffer Overflow"; content: "SID: 1944 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101944; sid: 6101944; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro Control Manager Cross Site Request Forgery"; content: "SID: 1945 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101945; sid: 6101945; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari WebKit SVG Memory Corruption"; content: "SID: 1946 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101946; sid: 6101946; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Buffer Overflow Vulnerability"; content: "SID: 1947 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101947; sid: 6101947; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Cloned DOM Object Code Execution"; content: "SID: 1949 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101949; sid: 6101949; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Remote Code Execution"; content: "SID: 1950 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101950; sid: 6101950; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache DoS"; content: "SID: 1958 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101958; sid: 6101958; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari WebKit innerHTML Double Free Memory Corruption"; content: "SID: 1959 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101959; sid: 6101959; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WINS Service Failed Response Vulnerability"; content: "SID: 1969 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101969; sid: 6101969; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hewlett-Packard OpenView Network Node Manager Remote Code Execution"; content: "SID: 1972 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101972; sid: 6101972; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1973 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101973; sid: 6101973; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Novell GroupWise HTTP Interfaces Arbitrary File Retrieval"; content: "SID: 1974 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101974; sid: 6101974; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] APT1 SSL Certificate"; content: "SID: 1975 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101975; sid: 6101975; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Zone-based Firewall SIP Denial of Service"; content: "SID: 1976 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101976; sid: 6101976; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Player Memory Corruption"; content: "SID: 1977 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101977; sid: 6101977; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability"; content: "SID: 1978 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101978; sid: 6101978; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Visio Viewer VSD File Type Confusion"; content: "SID: 1981 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101981; sid: 6101981; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Sharepoint XSS"; content: "SID: 1984 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101984; sid: 6101984; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Sharepoint XSS"; content: "SID: 1990 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101990; sid: 6101990; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution Vulnerability"; content: "SID: 1993 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101993; sid: 6101993; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft WKSSVC NetpManageIPCConnect Remote Code Execution"; content: "SID: 1997 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101997; sid: 6101997; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Remote Code Execution"; content: "SID: 1998 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6101998; sid: 6101998; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Echo Reply"; content: "SID: 2000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102000; sid: 6102000; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Host Unreachable"; content: "SID: 2001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102001; sid: 6102001; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Source Quench"; content: "SID: 2002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102002; sid: 6102002; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Redirect"; content: "SID: 2003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102003; sid: 6102003; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Echo Request"; content: "SID: 2004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102004; sid: 6102004; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Time Exceeded for a Datagram"; content: "SID: 2005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102005; sid: 6102005; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Parameter Problem on Datagram"; content: "SID: 2006 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102006; sid: 6102006; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Timestamp Request"; content: "SID: 2007 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102007; sid: 6102007; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Timestamp Reply"; content: "SID: 2008 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102008; sid: 6102008; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Information Request"; content: "SID: 2009 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102009; sid: 6102009; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Information Reply"; content: "SID: 2010 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102010; sid: 6102010; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Address Mask Reply"; content: "SID: 2012 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102012; sid: 6102012; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] 7T IGSS Buffer Overflow"; content: "SID: 2019 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102019; sid: 6102019; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows SMB PIPE Remote Denial of Service Vulnerability"; content: "SID: 2021 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102021; sid: 6102021; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Schneider Electric Accutech Manager HTTP Request Processing Buffer Overflow"; content: "SID: 2023 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102023; sid: 6102023; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption Vulnerability"; content: "SID: 2024 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102024; sid: 6102024; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CCaret Use-After-Free Vulnerability"; content: "SID: 2030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102030; sid: 6102030; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft OneNote Information Disclosure"; content: "SID: 2034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102034; sid: 6102034; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SharePoint Elevation of Privilege"; content: "SID: 2036 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102036; sid: 6102036; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Memory Corruption"; content: "SID: 2038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102038; sid: 6102038; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer 8 Memory Corruption Vulnerability"; content: "SID: 2039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102039; sid: 6102039; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Network Sweep With Echo"; content: "SID: 2100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102100; sid: 6102100; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Network Sweep w/Timestamp"; content: "SID: 2101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102101; sid: 6102101; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Network Sweep w/Address Mask"; content: "SID: 2102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102102; sid: 6102102; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented ICMP Traffic"; content: "SID: 2150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102150; sid: 6102150; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large ICMP Traffic"; content: "SID: 2151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102151; sid: 6102151; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Flood"; content: "SID: 2152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102152; sid: 6102152; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Smurf Attack"; content: "SID: 2153 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102153; sid: 6102153; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ping of Death Attack"; content: "SID: 2154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102154; sid: 6102154; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modem DoS"; content: "SID: 2155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102155; sid: 6102155; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nachi Worm ICMP Echo Request"; content: "SID: 2156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102156; sid: 6102156; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Hard Error DoS"; content: "SID: 2157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102157; sid: 6102157; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nachi Worm ICMP Echo Request"; content: "SID: 2158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102158; sid: 6102158; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICMP Destination Unreachable Protocol Unreachable"; content: "SID: 2159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102159; sid: 6102159; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid IGMP Header DoS"; content: "SID: 2200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102200; sid: 6102200; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IGMP over fragmented IP"; content: "SID: 2201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102201; sid: 6102201; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IGMP Invalid Packet DoS"; content: "SID: 2202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6102202; sid: 6102202; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Port Sweep"; content: "SID: 3001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103001; sid: 6103001; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN Port Sweep"; content: "SID: 3002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103002; sid: 6103002; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag SYN Port Sweep"; content: "SID: 3003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103003; sid: 6103003; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FIN Port Sweep"; content: "SID: 3005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103005; sid: 6103005; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag FIN Port Sweep"; content: "SID: 3006 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103006; sid: 6103006; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP High Port Sweep"; content: "SID: 3010 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103010; sid: 6103010; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FIN High Port Sweep"; content: "SID: 3011 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103011; sid: 6103011; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag FIN High Port Sweep"; content: "SID: 3012 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103012; sid: 6103012; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Null Port Sweep"; content: "SID: 3015 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103015; sid: 6103015; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag Null Port Sweep"; content: "SID: 3016 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103016; sid: 6103016; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN FIN Port Sweep"; content: "SID: 3020 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103020; sid: 6103020; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Frag SYN FIN Port Sweep"; content: "SID: 3021 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103021; sid: 6103021; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN Host Sweep"; content: "SID: 3030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103030; sid: 6103030; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG SYN Host Sweep"; content: "SID: 3031 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103031; sid: 6103031; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FIN Host Sweep"; content: "SID: 3032 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103032; sid: 6103032; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG FIN Host Sweep"; content: "SID: 3033 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103033; sid: 6103033; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP NULL Host Sweep"; content: "SID: 3034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103034; sid: 6103034; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG NULL Host Sweep"; content: "SID: 3035 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103035; sid: 6103035; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN FIN Host Sweep"; content: "SID: 3036 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103036; sid: 6103036; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP FRAG SYN FIN Host Sweep"; content: "SID: 3037 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103037; sid: 6103037; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented NULL TCP Packet"; content: "SID: 3038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103038; sid: 6103038; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented Orphaned FIN packet"; content: "SID: 3039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103039; sid: 6103039; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP NULL Packet"; content: "SID: 3040 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103040; sid: 6103040; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP SYN/FIN Packet"; content: "SID: 3041 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103041; sid: 6103041; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Orphaned Fin Packet"; content: "SID: 3042 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103042; sid: 6103042; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Fragmented SYN/FIN Packet"; content: "SID: 3043 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103043; sid: 6103043; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Queso Sweep"; content: "SID: 3045 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103045; sid: 6103045; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NMAP OS Fingerprint"; content: "SID: 3046 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103046; sid: 6103046; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Half-open SYN Attack"; content: "SID: 3050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103050; sid: 6103050; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Connection Window Size RST DoS"; content: "SID: 3051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103051; sid: 6103051; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UPNP Service Host Sweep"; content: "SID: 3052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103052; sid: 6103052; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP RCPT TO: Bounce"; content: "SID: 3100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103100; sid: 6103100; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Invalid Recipient"; content: "SID: 3101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103101; sid: 6103101; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Invalid Sender"; content: "SID: 3102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103102; sid: 6103102; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Reconnaissance"; content: "SID: 3103 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103103; sid: 6103103; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Archaic Sendmail Attacks"; content: "SID: 3104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103104; sid: 6103104; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Decode Alias"; content: "SID: 3105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103105; sid: 6103105; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mail Spam"; content: "SID: 3106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103106; sid: 6103106; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Majordomo Execute Attack"; content: "SID: 3107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103107; sid: 6103107; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP MIME Content Overflow"; content: "SID: 3108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103108; sid: 6103108; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long SMTP Command"; content: "SID: 3109 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103109; sid: 6103109; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Suspicious Mail Attachment"; content: "SID: 3110 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103110; sid: 6103110; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] W32 Sircam Malicious Code"; content: "SID: 3111 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103111; sid: 6103111; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Domino Mail Loop DoS"; content: "SID: 3112 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103112; sid: 6103112; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Email Attachment with Malicious Payload"; content: "SID: 3113 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103113; sid: 6103113; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FetchMail Arbitrary Code Execution"; content: "SID: 3114 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103114; sid: 6103114; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail Data Header Overflow"; content: "SID: 3115 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103115; sid: 6103115; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netbus"; content: "SID: 3116 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103116; sid: 6103116; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KLEZ Worm"; content: "SID: 3117 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103117; sid: 6103117; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rwhoisd format string"; content: "SID: 3118 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103118; sid: 6103118; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WS_FTP STAT Overflow"; content: "SID: 3119 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103119; sid: 6103119; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ANTS Virus"; content: "SID: 3120 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103120; sid: 6103120; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Vintra MailServer EXPN DoS"; content: "SID: 3121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103121; sid: 6103121; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP EXPN root Recon"; content: "SID: 3122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103122; sid: 6103122; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBus Pro Traffic"; content: "SID: 3123 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103123; sid: 6103123; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sendmail prescan Memory Corruption"; content: "SID: 3124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103124; sid: 6103124; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Postfix 1.1.12 envelope address DoS"; content: "SID: 3125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103125; sid: 6103125; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Postfix bounce scan"; content: "SID: 3126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103126; sid: 6103126; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP AUTH Brute Force Attempt"; content: "SID: 3127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103127; sid: 6103127; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange xexch50 overflow"; content: "SID: 3128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103128; sid: 6103128; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus C Variant File Attachment"; content: "SID: 3129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103129; sid: 6103129; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus I Variant File Attachment"; content: "SID: 3130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103130; sid: 6103130; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mimail Virus L Variant File Attachment"; content: "SID: 3131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103131; sid: 6103131; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment"; content: "SID: 3132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103132; sid: 6103132; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novarg / Mydoom Virus Mail Attachment Variant B"; content: "SID: 3133 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103133; sid: 6103133; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoomJuice Worm network probe"; content: "SID: 3134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103134; sid: 6103134; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MyDoom Virus Activity"; content: "SID: 3135 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103135; sid: 6103135; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netsky Virus Activity"; content: "SID: 3136 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103136; sid: 6103136; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sober Virus Activity"; content: "SID: 3137 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103137; sid: 6103137; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bagle.C Virus Email Attachment"; content: "SID: 3138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103138; sid: 6103138; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bagle.E Virus Email Attachment"; content: "SID: 3139 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103139; sid: 6103139; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bagle Virus Activity"; content: "SID: 3140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103140; sid: 6103140; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lovgate Worm Activity"; content: "SID: 3141 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103141; sid: 6103141; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sasser Worm Activity"; content: "SID: 3142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103142; sid: 6103142; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BERBEW Trojan Activity"; content: "SID: 3143 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103143; sid: 6103143; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ratos Worm Activity"; content: "SID: 3144 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103144; sid: 6103144; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ZAFI Worm Activity"; content: "SID: 3145 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103145; sid: 6103145; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bropia Worm Activity"; content: "SID: 3146 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103146; sid: 6103146; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Remote Command Execution"; content: "SID: 3150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103150; sid: 6103150; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SYST Command Attempt"; content: "SID: 3151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103151; sid: 6103151; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP CWD ~root"; content: "SID: 3152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103152; sid: 6103152; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Improper Address Specified"; content: "SID: 3153 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103153; sid: 6103153; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Improper Port Specified"; content: "SID: 3154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103154; sid: 6103154; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP RETR Pipe Filename Command Execution"; content: "SID: 3155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103155; sid: 6103155; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP STOR Pipe Filename Command Execution"; content: "SID: 3156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103156; sid: 6103156; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP PASV Port Spoof"; content: "SID: 3157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103157; sid: 6103157; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC Format String"; content: "SID: 3158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103158; sid: 6103158; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP PASS Suspicious Length"; content: "SID: 3159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103159; sid: 6103159; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cesar FTP Buffer Overflow"; content: "SID: 3160 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103160; sid: 6103160; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP realpath Buffer Overflow"; content: "SID: 3161 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103161; sid: 6103161; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] glFtpD LIST DoS"; content: "SID: 3162 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103162; sid: 6103162; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WU-FTPD Heap Corruption"; content: "SID: 3163 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103163; sid: 6103163; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Instant Server Mini Portal Directory Traversal"; content: "SID: 3164 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103164; sid: 6103164; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC"; content: "SID: 3165 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103165; sid: 6103165; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP USER Suspicious Length"; content: "SID: 3166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103166; sid: 6103166; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Format String in FTP username"; content: "SID: 3167 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103167; sid: 6103167; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC Directory Traversal"; content: "SID: 3168 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103168; sid: 6103168; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP SITE EXEC tar"; content: "SID: 3169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103169; sid: 6103169; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WS_FTP SITE CPWD Buffer Overflow"; content: "SID: 3170 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103170; sid: 6103170; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Priviledged Login"; content: "SID: 3171 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103171; sid: 6103171; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ftp Cwd Overflow"; content: "SID: 3172 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103172; sid: 6103172; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long FTP Command"; content: "SID: 3173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103173; sid: 6103173; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ProFTPD STAT DoS"; content: "SID: 3175 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103175; sid: 6103175; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long MDTM Command"; content: "SID: 3177 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103177; sid: 6103177; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Denial Of Service in Microsoft SMS Client"; content: "SID: 3178 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103178; sid: 6103178; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ftpdchk DOS"; content: "SID: 3179 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103179; sid: 6103179; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BakBone NetVault Remote Heap Overflow"; content: "SID: 3180 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103180; sid: 6103180; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] dSMTP Mail Server Format String Overflow"; content: "SID: 3181 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103181; sid: 6103181; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Phf Attack"; content: "SID: 3200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103200; sid: 6103200; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW .url File Requested"; content: "SID: 3202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103202; sid: 6103202; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW .lnk File Requested"; content: "SID: 3203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103203; sid: 6103203; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW .bat File Requested"; content: "SID: 3204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103204; sid: 6103204; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML File Has .url Link"; content: "SID: 3205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103205; sid: 6103205; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML File Has .lnk Link"; content: "SID: 3206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103206; sid: 6103206; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML File Has .bat Link"; content: "SID: 3207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103207; sid: 6103207; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Campas Attack"; content: "SID: 3208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103208; sid: 6103208; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Glimpse Server Attack"; content: "SID: 3209 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103209; sid: 6103209; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS View Source Attack"; content: "SID: 3210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103210; sid: 6103210; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Hex View Source Attack"; content: "SID: 3211 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103211; sid: 6103211; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW NPH-TEST-CGI Attack"; content: "SID: 3212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103212; sid: 6103212; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW TEST-CGI Attack"; content: "SID: 3213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103213; sid: 6103213; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS DOT DOT VIEW Attack"; content: "SID: 3214 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103214; sid: 6103214; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS DOT DOT EXECUTE Attack"; content: "SID: 3215 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103215; sid: 6103215; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Directory Traversal ../.."; content: "SID: 3216 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103216; sid: 6103216; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW php View File Attack"; content: "SID: 3217 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103217; sid: 6103217; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SGI Wrap Attack"; content: "SID: 3218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103218; sid: 6103218; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PHP Buffer Overflow"; content: "SID: 3219 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103219; sid: 6103219; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Long URL Attack"; content: "SID: 3220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103220; sid: 6103220; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI-Viewsource Attack"; content: "SID: 3221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103221; sid: 6103221; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PHP Log Scripts Read Attack"; content: "SID: 3222 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103222; sid: 6103222; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IRIX cgi-handler Attack"; content: "SID: 3223 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103223; sid: 6103223; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP WebGais"; content: "SID: 3224 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103224; sid: 6103224; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW websendmail File Access"; content: "SID: 3225 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103225; sid: 6103225; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Webdist Bug"; content: "SID: 3226 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103226; sid: 6103226; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Htmlscript Bug"; content: "SID: 3227 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103227; sid: 6103227; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Performer Attack"; content: "SID: 3228 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103228; sid: 6103228; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Website Win-C-Sample Buffer Overflow"; content: "SID: 3229 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103229; sid: 6103229; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Website Uploader"; content: "SID: 3230 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103230; sid: 6103230; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Convert Attack"; content: "SID: 3231 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103231; sid: 6103231; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW finger attempt"; content: "SID: 3232 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103232; sid: 6103232; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW count-cgi Overflow"; content: "SID: 3233 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103233; sid: 6103233; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Local Trusted Resource Execution"; content: "SID: 3234 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103234; sid: 6103234; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] showHelp CHM File Execution Weakness"; content: "SID: 3235 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103235; sid: 6103235; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Path Disclosure"; content: "SID: 3236 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103236; sid: 6103236; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Hijack"; content: "SID: 3250 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103250; sid: 6103250; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP Hijack Simplex Mode"; content: "SID: 3251 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103251; sid: 6103251; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Agent ActiveX Control"; content: "SID: 3252 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103252; sid: 6103252; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Request Smuggling"; content: "SID: 3253 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103253; sid: 6103253; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XML-RPC PHP Command Execution"; content: "SID: 3254 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103254; sid: 6103254; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Apache Long HTTP Header DoS"; content: "SID: 3255 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103255; sid: 6103255; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS OOB Data"; content: "SID: 3300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103300; sid: 6103300; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NETBIOS Stat"; content: "SID: 3301 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103301; sid: 6103301; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBios Session Service Failed Login"; content: "SID: 3302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103302; sid: 6103302; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Login successful with Guest Privileges"; content: "SID: 3303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103303; sid: 6103303; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NULL login attempt"; content: "SID: 3304 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103304; sid: 6103304; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB 95 98 Password File Access"; content: "SID: 3305 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103305; sid: 6103305; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Registry Access Attempt"; content: "SID: 3306 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103306; sid: 6103306; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Red Button"; content: "SID: 3307 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103307; sid: 6103307; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt"; content: "SID: 3308 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103308; sid: 6103308; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt"; content: "SID: 3309 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103309; sid: 6103309; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netbios Enum Share DoS"; content: "SID: 3310 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103310; sid: 6103310; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote SAM Service Access Attempt"; content: "SID: 3311 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103311; sid: 6103311; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB .eml email file remote access"; content: "SID: 3312 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103312; sid: 6103312; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Suspicious Password Usage"; content: "SID: 3313 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103313; sid: 6103313; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Locator Service Overflow"; content: "SID: 3314 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103314; sid: 6103314; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability"; content: "SID: 3315 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103315; sid: 6103315; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Project1 DOS"; content: "SID: 3316 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103316; sid: 6103316; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LSASS DCE RPC Request"; content: "SID: 3317 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103317; sid: 6103317; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DsRolerUpgradeDownlevelServer Request"; content: "SID: 3318 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103318; sid: 6103318; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCE RPC Request"; content: "SID: 3319 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103319; sid: 6103319; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt"; content: "SID: 3320 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103320; sid: 6103320; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB User Enumeration"; content: "SID: 3321 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103321; sid: 6103321; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Windows Share Enumeration"; content: "SID: 3322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103322; sid: 6103322; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB: RFPoison Attack"; content: "SID: 3323 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103323; sid: 6103323; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NIMDA Infected File Transfer"; content: "SID: 3324 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103324; sid: 6103324; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba call_trans2open Overflow"; content: "SID: 3325 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103325; sid: 6103325; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Startup Folder Remote Access"; content: "SID: 3326 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103326; sid: 6103326; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPC DCOM Overflow"; content: "SID: 3327 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103327; sid: 6103327; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows SMB RPC NoOp Sled"; content: "SID: 3328 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103328; sid: 6103328; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPCSS Overflow"; content: "SID: 3329 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103329; sid: 6103329; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPCSS Overflow 2"; content: "SID: 3330 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103330; sid: 6103330; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP MSRPC Messenger Overflow"; content: "SID: 3331 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103331; sid: 6103331; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TCP MSRPC Messenger Overflow"; content: "SID: 3332 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103332; sid: 6103332; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB MSRPC Messenger Overflow"; content: "SID: 3333 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103333; sid: 6103333; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Workstation Service Overflow"; content: "SID: 3334 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103334; sid: 6103334; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Anig Worm File Transfer"; content: "SID: 3335 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103335; sid: 6103335; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow"; content: "SID: 3336 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103336; sid: 6103336; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows RPC Race Condition Exploitation"; content: "SID: 3337 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103337; sid: 6103337; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows LSASS RPC Overflow"; content: "SID: 3338 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103338; sid: 6103338; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows System32 Directory File Creation"; content: "SID: 3339 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103339; sid: 6103339; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Shell External Handler"; content: "SID: 3340 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103340; sid: 6103340; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Activity"; content: "SID: 3341 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103341; sid: 6103341; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows NetDDE Overflow"; content: "SID: 3342 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103342; sid: 6103342; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Account Locked"; content: "SID: 3343 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103343; sid: 6103343; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows 2000 TCP RPC DoS"; content: "SID: 3344 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103344; sid: 6103344; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC WinNuke"; content: "SID: 3345 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103345; sid: 6103345; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows TSShutdn.exe Attempt"; content: "SID: 3346 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103346; sid: 6103346; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ASN.1 Library Bit String Heap Corruption"; content: "SID: 3347 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103347; sid: 6103347; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Disk Enumerations"; content: "SID: 3348 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103348; sid: 6103348; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Date And Time Enumerations"; content: "SID: 3349 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103349; sid: 6103349; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Transport Enumerations"; content: "SID: 3350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103350; sid: 6103350; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS User Session Enumerations"; content: "SID: 3351 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103351; sid: 6103351; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba Fragment Reassembly Overflow"; content: "SID: 3352 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103352; sid: 6103352; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Request Overflow"; content: "SID: 3353 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103353; sid: 6103353; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Remote Registry Request DoS"; content: "SID: 3356 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103356; sid: 6103356; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid Netbios Name"; content: "SID: 3357 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103357; sid: 6103357; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Sun Kill Telnet DoS"; content: "SID: 3400 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103400; sid: 6103400; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet-IFS Match"; content: "SID: 3401 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103401; sid: 6103401; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] BSD Telnet Daemon Buffer Overflow"; content: "SID: 3402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103402; sid: 6103402; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Excessive Environment Options"; content: "SID: 3403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103403; sid: 6103403; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SysV /bin/login Overflow"; content: "SID: 3404 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103404; sid: 6103404; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avirt Gateway Proxy Buffer Overflow"; content: "SID: 3405 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103405; sid: 6103405; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris TTYPROMPT Overflow"; content: "SID: 3406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103406; sid: 6103406; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Client NEW ENVIRON Option Overflow"; content: "SID: 3407 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103407; sid: 6103407; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Client LINEMODE SLC Option Overflow"; content: "SID: 3408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103408; sid: 6103408; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Over Non-standard Ports"; content: "SID: 3409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103409; sid: 6103409; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg: "[CISCO-SDEE] Finger Bomb"; content: "SID: 3450 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103450; sid: 6103450; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BearShare Directory Traversal"; content: "SID: 3451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103451; sid: 6103451; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gopherd Halidate Overflow"; content: "SID: 3452 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103452; sid: 6103452; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS NetMeeting RDS DoS"; content: "SID: 3453 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103453; sid: 6103453; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Check Point Firewall Information Leak"; content: "SID: 3454 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103454; sid: 6103454; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java Web Server Cmd Exec"; content: "SID: 3455 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103455; sid: 6103455; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris in.fingerd Information Leak"; content: "SID: 3456 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103456; sid: 6103456; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger root shell"; content: "SID: 3457 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103457; sid: 6103457; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM game invite overflow"; content: "SID: 3458 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103458; sid: 6103458; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ValiCert Forms.exe Overflow"; content: "SID: 3459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103459; sid: 6103459; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger probe"; content: "SID: 3461 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103461; sid: 6103461; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger Redirect"; content: "SID: 3462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103462; sid: 6103462; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger root"; content: "SID: 3463 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103463; sid: 6103463; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] File access in finger"; content: "SID: 3464 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103464; sid: 6103464; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger Activity"; content: "SID: 3465 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103465; sid: 6103465; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RAS/PPTP Malformed Control Packet DOS"; content: "SID: 3466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103466; sid: 6103466; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin -froot Attack"; content: "SID: 3500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103500; sid: 6103500; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Long TERM Variable"; content: "SID: 3501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103501; sid: 6103501; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rlogin Activity"; content: "SID: 3502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103502; sid: 6103502; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Authenticate Buffer Overflow"; content: "SID: 3525 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103525; sid: 6103525; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Imap Login Buffer Overflow"; content: "SID: 3526 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103526; sid: 6103526; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UW imapd Overflows"; content: "SID: 3527 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103527; sid: 6103527; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IPSwitch IMail DELETE Command Overflow"; content: "SID: 3528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103528; sid: 6103528; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Long EXAMINE Command"; content: "SID: 3529 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103529; sid: 6103529; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS Oversized TACACS+ Attack"; content: "SID: 3530 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103530; sid: 6103530; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Cisco IOS Telnet DoS"; content: "SID: 3531 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103531; sid: 6103531; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed BGP Open Message"; content: "SID: 3532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103532; sid: 6103532; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Misformed BGP Packet DoS"; content: "SID: 3533 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103533; sid: 6103533; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Long AUTHENTICATE Command"; content: "SID: 3534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103534; sid: 6103534; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] MailEnable HTTP Authorization Buffer Overflow"; content: "SID: 3537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103537; sid: 6103537; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS CSAdmin Attack"; content: "SID: 3540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103540; sid: 6103540; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] POP Buffer Overflow"; content: "SID: 3550 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103550; sid: 6103550; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] POP User Root"; content: "SID: 3551 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103551; sid: 6103551; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] INN Buffer Overflow"; content: "SID: 3575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103575; sid: 6103575; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] INN Control Message Exploit"; content: "SID: 3576 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103576; sid: 6103576; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP LOGIN Command Invalid Username"; content: "SID: 3577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103577; sid: 6103577; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Format String"; content: "SID: 3578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103578; sid: 6103578; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] IOS Telnet Buffer Overflow"; content: "SID: 3600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103600; sid: 6103600; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Command History Exploit"; content: "SID: 3601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103601; sid: 6103601; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Cisco Identification"; content: "SID: 3602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103602; sid: 6103602; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Enable Bypass"; content: "SID: 3603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103603; sid: 6103603; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Catalyst CR DoS"; content: "SID: 3604 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103604; sid: 6103604; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH RSAREF2 Buffer Overflow"; content: "SID: 3650 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103650; sid: 6103650; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH CRC32 Overflow"; content: "SID: 3651 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103651; sid: 6103651; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH Gobbles"; content: "SID: 3652 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103652; sid: 6103652; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Rapid SSH Connections"; content: "SID: 3653 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103653; sid: 6103653; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH Gobbles Exploit"; content: "SID: 3654 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103654; sid: 6103654; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CDE dtspcd Overflow"; content: "SID: 3700 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103700; sid: 6103700; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle 9iAS Web Cache Buffer Overflow"; content: "SID: 3701 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103701; sid: 6103701; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Default sa account access"; content: "SID: 3702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103702; sid: 6103702; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid FTP URL Buffer Overflow"; content: "SID: 3703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103703; sid: 6103703; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS FTP STAT Denial of Service"; content: "SID: 3704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103704; sid: 6103704; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tivoli Storage Manager Client Acceptor Overflow"; content: "SID: 3705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103705; sid: 6103705; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT PGP Public Key Server Overflow"; content: "SID: 3706 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103706; sid: 6103706; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Perl fingerd Command Exec"; content: "SID: 3707 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103707; sid: 6103707; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] AnalogX Proxy Socks4a DNS Overflow"; content: "SID: 3708 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103708; sid: 6103708; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AnalogX Proxy Web Proxy Overflow"; content: "SID: 3709 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103709; sid: 6103709; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS Directory Traversal"; content: "SID: 3710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103710; sid: 6103710; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Informer FW1 Auth Replay DoS"; content: "SID: 3711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103711; sid: 6103711; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle TNS 'Service_Name' Overflow"; content: "SID: 3714 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103714; sid: 6103714; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI+ JPEG Buffer Overflow"; content: "SID: 3716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103716; sid: 6103716; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows .ANI File DoS"; content: "SID: 3718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103718; sid: 6103718; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSN Messenger PNG Overflow"; content: "SID: 3719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103719; sid: 6103719; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL sa Account Brute Force"; content: "SID: 3720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103720; sid: 6103720; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TNS Brute Force"; content: "SID: 3721 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103721; sid: 6103721; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long pop username"; content: "SID: 3728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103728; sid: 6103728; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long pop password"; content: "SID: 3729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103729; sid: 6103729; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo (TCP)"; content: "SID: 3730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103730; sid: 6103730; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] IMail HTTP Get Buffer Overflow"; content: "SID: 3731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103731; sid: 6103731; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL xp_cmdshell Usage"; content: "SID: 3732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103732; sid: 6103732; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Real Server Format Overflow"; content: "SID: 3733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103733; sid: 6103733; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cfengine Overflow"; content: "SID: 3734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103734; sid: 6103734; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS Flag Insertion Overflow"; content: "SID: 3735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103735; sid: 6103735; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Subversion get-dated-rev overflow"; content: "SID: 3736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103736; sid: 6103736; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid Proxy NTLM Authenticate Overflow"; content: "SID: 3737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103737; sid: 6103737; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS Argumentx Vulnerability"; content: "SID: 3738 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103738; sid: 6103738; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nullsoft SHOUTcast Format String Attack"; content: "SID: 3739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103739; sid: 6103739; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMail LDAP Service Buffer Overflow"; content: "SID: 3740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103740; sid: 6103740; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] mIRC DCC Send Buffer Overflow"; content: "SID: 3782 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103782; sid: 6103782; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow"; content: "SID: 3783 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103783; sid: 6103783; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor Discovery Service SERVICEPC Overflow"; content: "SID: 3784 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103784; sid: 6103784; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle 9i XDB FTP UNLOCK Buffer Overflow"; content: "SID: 3785 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103785; sid: 6103785; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle 9i XDB FTP PASS Buffer Overflow"; content: "SID: 3786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103786; sid: 6103786; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IRIX Printing System Remote Command Execution"; content: "SID: 3787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103787; sid: 6103787; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris LPD Remote Command Execution"; content: "SID: 3788 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103788; sid: 6103788; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DistCC Daemon Command Execution"; content: "SID: 3789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103789; sid: 6103789; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview Omniback II Command Execution"; content: "SID: 3790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103790; sid: 6103790; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Solaris Printd Unlink File Deletion"; content: "SID: 3791 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103791; sid: 6103791; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Long Telnet Username"; content: "SID: 3792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103792; sid: 6103792; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ZENworks 6.5 Authentication Overflow"; content: "SID: 3793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103793; sid: 6103793; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle iSQL*PLus Overflow"; content: "SID: 3802 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103802; sid: 6103802; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache mod_proxy Buffer Overflow"; content: "SID: 3883 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103883; sid: 6103883; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cfengine Authentication Heap Based Buffer Overflow"; content: "SID: 3884 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103884; sid: 6103884; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BackOrifice BO2K TCP Stealth 1"; content: "SID: 3991 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6103991; sid: 6103991; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP Port Sweep"; content: "SID: 4001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104001; sid: 6104001; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP Host Flood"; content: "SID: 4002 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104002; sid: 6104002; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nmap UDP Port Sweep"; content: "SID: 4003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104003; sid: 6104003; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Flood Attack"; content: "SID: 4004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104004; sid: 6104004; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UDP Bomb"; content: "SID: 4050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104050; sid: 6104050; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BackOrifice-Original-UDP"; content: "SID: 4053 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104053; sid: 6104053; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIP Trace"; content: "SID: 4054 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104054; sid: 6104054; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NTPd readvar overflow"; content: "SID: 4056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104056; sid: 6104056; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UPnP LOCATION Overflow"; content: "SID: 4058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104058; sid: 6104058; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Orifice Ping"; content: "SID: 4060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104060; sid: 6104060; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Chargen Echo DoS"; content: "SID: 4061 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104061; sid: 6104061; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CSS 11000 Malformed UDP DoS"; content: "SID: 4062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104062; sid: 6104062; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unreal Engine secure Overflow"; content: "SID: 4063 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104063; sid: 6104063; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed IKE Packet DoS"; content: "SID: 4067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104067; sid: 6104067; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoS NBT Stream"; content: "SID: 4068 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104068; sid: 6104068; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tftp Passwd File"; content: "SID: 4100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104100; sid: 6104100; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TFTPD Directory Traversal"; content: "SID: 4101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104101; sid: 6104101; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ascend Denial of Service"; content: "SID: 4150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104150; sid: 6104150; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BOBAX Virus Activity"; content: "SID: 4151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104151; sid: 6104151; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic File Transfer Signatures"; content: "SID: 4322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104322; sid: 6104322; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Cisco IOS Embedded SNMP Community Names"; content: "SID: 4500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104500; sid: 6104500; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVCO/4K Remote Username / Password Retrieve"; content: "SID: 4501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104501; sid: 6104501; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community Name Brute Force Attempt"; content: "SID: 4502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104502; sid: 6104502; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Windows NT SNMP System Info Retrieve"; content: "SID: 4503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104503; sid: 6104503; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP IOS Configuration Retrieval"; content: "SID: 4504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104504; sid: 6104504; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP IOS VACM MIB Access"; content: "SID: 4505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104505; sid: 6104505; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] D-Link Wireless SNMP Plain Text Password"; content: "SID: 4506 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104506; sid: 6104506; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Protocol Violation"; content: "SID: 4507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104507; sid: 6104507; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Non SNMP Traffic"; content: "SID: 4508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104508; sid: 6104508; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] HP Openview SNMP Hidden Community Name"; content: "SID: 4509 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104509; sid: 6104509; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Solaris SNMP Hidden Community Name"; content: "SID: 4510 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104510; sid: 6104510; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Avaya SNMP Hidden Community Name"; content: "SID: 4511 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104511; sid: 6104511; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community String Public"; content: "SID: 4512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104512; sid: 6104512; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Cisco SNMP Message Processing DoS"; content: "SID: 4513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104513; sid: 6104513; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community String Public"; content: "SID: 4514 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104514; sid: 6104514; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP/VC Embedded Community Names"; content: "SID: 4515 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104515; sid: 6104515; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Printer Query DoS"; content: "SID: 4516 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104516; sid: 6104516; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS UDP Bomb"; content: "SID: 4600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104600; sid: 6104600; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CheckPoint Firewall RDP ByPass"; content: "SID: 4601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104601; sid: 6104601; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Beagle (Bagle) Virus DNS Lookup"; content: "SID: 4602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104602; sid: 6104602; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Discover"; content: "SID: 4603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104603; sid: 6104603; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Request"; content: "SID: 4604 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104604; sid: 6104604; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Offer"; content: "SID: 4605 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104605; sid: 6104605; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TFTP Long Filename Buffer Overflow"; content: "SID: 4606 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104606; sid: 6104606; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Deep Throat Response"; content: "SID: 4607 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104607; sid: 6104607; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo (UDP)"; content: "SID: 4608 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104608; sid: 6104608; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Orinoco SNMP Info Leak"; content: "SID: 4609 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104609; sid: 6104609; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerberos 4 User Recon"; content: "SID: 4610 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104610; sid: 6104610; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] D-Link DWL-900AP+ TFTP Config Retrieve"; content: "SID: 4611 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104611; sid: 6104611; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP Phone TFTP Config Retrieve"; content: "SID: 4612 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104612; sid: 6104612; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTP Filename Buffer Overflow"; content: "SID: 4613 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104613; sid: 6104613; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTP Overflow"; content: "SID: 4614 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104614; sid: 6104614; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Beagle.B (Bagle.B) Virus DNS Lookup"; content: "SID: 4615 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104615; sid: 6104615; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PoPToP PPtP Short Length Overflow"; content: "SID: 4617 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104617; sid: 6104617; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid DHCP Packet"; content: "SID: 4619 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104619; sid: 6104619; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Limited Broadcast Query"; content: "SID: 4620 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104620; sid: 6104620; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Stack Overflow"; content: "SID: 4701 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104701; sid: 6104701; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Heap Overflow"; content: "SID: 4702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104702; sid: 6104702; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Stack Overflow"; content: "SID: 4703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104703; sid: 6104703; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Heap Overflow"; content: "SID: 4704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6104704; sid: 6104704; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS newdsn attack"; content: "SID: 5034 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105034; sid: 6105034; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP cgi HylaFAX Faxsurvey"; content: "SID: 5035 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105035; sid: 6105035; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SGI MachineInfo Attack"; content: "SID: 5037 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105037; sid: 6105037; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW wwwsql file read Bug"; content: "SID: 5038 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105038; sid: 6105038; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW finger attempt"; content: "SID: 5039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105039; sid: 6105039; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW anyform attack"; content: "SID: 5041 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105041; sid: 6105041; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Webcom.se Guestbook attack"; content: "SID: 5044 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105044; sid: 6105044; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW xterm display attack"; content: "SID: 5045 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105045; sid: 6105045; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW dumpenv.pl recon"; content: "SID: 5046 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105046; sid: 6105046; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Server Side Include POST attack"; content: "SID: 5047 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105047; sid: 6105047; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS BAT EXE attack"; content: "SID: 5048 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105048; sid: 6105048; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS showcode.asp access"; content: "SID: 5049 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105049; sid: 6105049; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS .htr Overflow Attack"; content: "SID: 5050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105050; sid: 6105050; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Double Byte Code Page"; content: "SID: 5051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105051; sid: 6105051; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage Extensions PWD Open Attempt"; content: "SID: 5052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105052; sid: 6105052; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage _vti_bin Directory List Attempt"; content: "SID: 5053 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105053; sid: 6105053; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWWBoard Password"; content: "SID: 5054 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105054; sid: 6105054; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Basic Authentication Overflow"; content: "SID: 5055 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105055; sid: 6105055; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Cisco IOS %% DoS"; content: "SID: 5056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105056; sid: 6105056; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Sambar Samples"; content: "SID: 5057 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105057; sid: 6105057; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW info2www Attack"; content: "SID: 5058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105058; sid: 6105058; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Alibaba Attack"; content: "SID: 5059 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105059; sid: 6105059; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Excite AT-generate.cgi Access"; content: "SID: 5060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105060; sid: 6105060; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW catalog_type.asp Access"; content: "SID: 5061 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105061; sid: 6105061; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW classifieds.cgi Attack"; content: "SID: 5062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105062; sid: 6105062; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW imagemap.cgi Attack"; content: "SID: 5064 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105064; sid: 6105064; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IRIX infosrch.cgi Attack"; content: "SID: 5065 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105065; sid: 6105065; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW man.sh Access"; content: "SID: 5066 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105066; sid: 6105066; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW plusmail Attack"; content: "SID: 5067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105067; sid: 6105067; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW formmail.pl Access"; content: "SID: 5068 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105068; sid: 6105068; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW whois_raw.cgi Attack"; content: "SID: 5069 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105069; sid: 6105069; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW msadcs.dll Access"; content: "SID: 5070 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105070; sid: 6105070; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW msacds.dll Attack"; content: "SID: 5071 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105071; sid: 6105071; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW bizdb1-search.cgi Attack"; content: "SID: 5072 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105072; sid: 6105072; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW EZshopper loadpage.cgi Attack"; content: "SID: 5073 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105073; sid: 6105073; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW EZshopper search.cgi Attack"; content: "SID: 5074 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105074; sid: 6105074; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Virtualized UNC Bug"; content: "SID: 5075 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105075; sid: 6105075; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW webplus bug"; content: "SID: 5076 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105076; sid: 6105076; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Excite AT-admin.cgi Access"; content: "SID: 5077 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105077; sid: 6105077; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Piranha passwd attack"; content: "SID: 5078 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105078; sid: 6105078; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PCCS MySQL Admin Access"; content: "SID: 5079 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105079; sid: 6105079; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IBM WebSphere Access"; content: "SID: 5080 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105080; sid: 6105080; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW WinNT cmd.exe Access"; content: "SID: 5081 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105081; sid: 6105081; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HTML Objects Memory Corruption"; content: "SID: 5082 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105082; sid: 6105082; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Virtual Vision FTP Browser Access"; content: "SID: 5083 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105083; sid: 6105083; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Alibaba Attack 2"; content: "SID: 5084 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105084; sid: 6105084; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Source Fragment Access"; content: "SID: 5085 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105085; sid: 6105085; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW WEBactive Logfile Access"; content: "SID: 5086 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105086; sid: 6105086; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Sun Java Server Access"; content: "SID: 5087 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105087; sid: 6105087; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Akopia MiniVend Access"; content: "SID: 5088 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105088; sid: 6105088; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Big Brother Directory Access"; content: "SID: 5089 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105089; sid: 6105089; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW FrontPage htimage.exe Access"; content: "SID: 5090 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105090; sid: 6105090; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Cart32 Remote Admin Access"; content: "SID: 5091 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105091; sid: 6105091; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI-World Poll It Access"; content: "SID: 5092 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105092; sid: 6105092; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW PHP-Nuke admin.php3 Access"; content: "SID: 5093 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105093; sid: 6105093; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Script Center Account Manager Attack"; content: "SID: 5095 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105095; sid: 6105095; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Script Center Subscribe Me Attack"; content: "SID: 5096 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105096; sid: 6105096; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW FrontPage MS-DOS Device Attack"; content: "SID: 5097 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105097; sid: 6105097; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW GWScripts News Publisher Access"; content: "SID: 5099 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105099; sid: 6105099; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Center Auction Weaver File Access"; content: "SID: 5100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105100; sid: 6105100; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CGI Center Auction Weaver Attack"; content: "SID: 5101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105101; sid: 6105101; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW phpPhotoAlbum explorer.php Access"; content: "SID: 5102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105102; sid: 6105102; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SuSE Apache CGI Source Access"; content: "SID: 5103 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105103; sid: 6105103; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW YaBB File Access"; content: "SID: 5104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105104; sid: 6105104; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Ranson Johnson mailto.cgi Attack"; content: "SID: 5105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105105; sid: 6105105; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Ranson Johnson mailform.pl Access"; content: "SID: 5106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105106; sid: 6105106; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Mandrake Linux /perl Access"; content: "SID: 5107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105107; sid: 6105107; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Netegrity Site Minder Access"; content: "SID: 5108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105108; sid: 6105108; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Sambar Beta search.dll Access"; content: "SID: 5109 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105109; sid: 6105109; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SuSE Installed Packages Access"; content: "SID: 5110 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105110; sid: 6105110; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Solaris Answerbook 2 Access"; content: "SID: 5111 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105111; sid: 6105111; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Solaris Answerbook 2 Attack"; content: "SID: 5112 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105112; sid: 6105112; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW CommuniGate Pro Access"; content: "SID: 5113 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105113; sid: 6105113; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Unicode Attack"; content: "SID: 5114 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105114; sid: 6105114; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape Enterprise Server with ?wp Tags"; content: "SID: 5115 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105115; sid: 6105115; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Endymion MailMan Remote Command Execution"; content: "SID: 5116 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105116; sid: 6105116; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpGroupWare Remote Command Exec"; content: "SID: 5117 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105117; sid: 6105117; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eWave ServletExec 3.0C File Upload"; content: "SID: 5118 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105118; sid: 6105118; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CGI Script Center News Update Admin Passwd Change"; content: "SID: 5119 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105119; sid: 6105119; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape Server Suite Buffer Overflow"; content: "SID: 5120 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105120; sid: 6105120; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet .shtml Buffer Overflow"; content: "SID: 5121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105121; sid: 6105121; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nokia IP440 Denial of Service"; content: "SID: 5122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105122; sid: 6105122; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS Internet Printing Overflow"; content: "SID: 5123 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105123; sid: 6105123; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS CGI Double Decode"; content: "SID: 5124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105124; sid: 6105124; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PerlCal Directory Traversal"; content: "SID: 5125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105125; sid: 6105125; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW IIS .ida Indexing Service Overflow"; content: "SID: 5126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105126; sid: 6105126; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW viewsrc.cgi Directory Traversal"; content: "SID: 5127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105127; sid: 6105127; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW nph-maillist.pl Cmd Exec"; content: "SID: 5128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105128; sid: 6105128; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] IOS HTTP Unauth Command Execution"; content: "SID: 5129 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105129; sid: 6105129; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bugzilla Privileged Information Disclosure"; content: "SID: 5130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105130; sid: 6105130; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] talkback.cgi Directory Traversal"; content: "SID: 5131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105131; sid: 6105131; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VirusWall catinfo Buffer Overflow"; content: "SID: 5132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105132; sid: 6105132; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net.Commerce Macro Path Disclosure"; content: "SID: 5133 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105133; sid: 6105133; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MacOS PWS DoS"; content: "SID: 5134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105134; sid: 6105134; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Application Server Shared Library Overflow"; content: "SID: 5138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105138; sid: 6105138; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net.Commerce Macro Denial of Service"; content: "SID: 5140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105140; sid: 6105140; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NCM Content.pl SQL Query Vulnerability"; content: "SID: 5141 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105141; sid: 6105141; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCShop File Disclosure"; content: "SID: 5142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105142; sid: 6105142; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS-DOS Device Name DoS"; content: "SID: 5146 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105146; sid: 6105146; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arcadia Internet Store Directory Traversal Attempt"; content: "SID: 5147 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105147; sid: 6105147; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Perception LiteServe Web Server CGI Source Code Disclosure"; content: "SID: 5148 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105148; sid: 6105148; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro Interscan Viruswall Configuration Modification"; content: "SID: 5149 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105149; sid: 6105149; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] InterScan VirusWall RegGo.dll Buffer Overflow"; content: "SID: 5150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105150; sid: 6105150; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebStore Admin Bypass"; content: "SID: 5151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105151; sid: 6105151; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebStore Command Exec"; content: "SID: 5152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105152; sid: 6105152; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW uDirectory Directory Traversal"; content: "SID: 5154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105154; sid: 6105154; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW SiteWare Editor Directory Traversal"; content: "SID: 5155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105155; sid: 6105155; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WWW Microsoft fp30reg.dll Overflow"; content: "SID: 5156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105156; sid: 6105156; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tarantella TTAWebTop.CGI Directory Traversal Bug"; content: "SID: 5157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105157; sid: 6105157; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet Proprietary Method Overflow"; content: "SID: 5158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105158; sid: 6105158; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpMyAdmin Cmd Exec"; content: "SID: 5159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105159; sid: 6105159; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache ? indexing file disclosure bug"; content: "SID: 5160 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105160; sid: 6105160; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SquirrelMail Command Exec"; content: "SID: 5161 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105161; sid: 6105161; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Classifieds Command Exec"; content: "SID: 5162 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105162; sid: 6105162; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mambo Site Server Administrative Password ByPass"; content: "SID: 5163 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105163; sid: 6105163; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPBB Remote SQL Query Manipulation"; content: "SID: 5164 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105164; sid: 6105164; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] php-nuke article.php sql query"; content: "SID: 5165 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105165; sid: 6105165; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] php-nuke modules.php DoS"; content: "SID: 5166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105166; sid: 6105166; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpMyAdmin Cmd Exec 2"; content: "SID: 5167 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105167; sid: 6105167; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snapstream PVS Directory Traversal Vulnerability"; content: "SID: 5168 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105168; sid: 6105168; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SnapStream PVS Plaintext Password Vulnerability"; content: "SID: 5169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105169; sid: 6105169; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Null Byte In HTTP Request"; content: "SID: 5170 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105170; sid: 6105170; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NC-Book book.cgi Cmd Exec"; content: "SID: 5171 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105171; sid: 6105171; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WinWrapper Admin Server Directory Traversal"; content: "SID: 5172 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105172; sid: 6105172; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Directory Manager Cmd Exec"; content: "SID: 5173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105173; sid: 6105173; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpmyexplorer directory traversal"; content: "SID: 5174 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105174; sid: 6105174; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hassan Shopping Cart Command Exec"; content: "SID: 5175 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105175; sid: 6105175; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange Address List Disclosure"; content: "SID: 5176 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105176; sid: 6105176; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoS Arnudp"; content: "SID: 5177 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105177; sid: 6105177; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS Index Server File/Path Recon"; content: "SID: 5178 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105178; sid: 6105178; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP-Nuke File Upload"; content: "SID: 5179 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105179; sid: 6105179; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] sgiMerchant Directory Traversal"; content: "SID: 5180 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105180; sid: 6105180; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MacOS Apache File Disclosure"; content: "SID: 5181 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105181; sid: 6105181; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebDiscount's eShop Arbitrary Command Exec"; content: "SID: 5182 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105182; sid: 6105182; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP File Inclusion Remote Exec"; content: "SID: 5183 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105183; sid: 6105183; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Authentication Module ByPass"; content: "SID: 5184 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105184; sid: 6105184; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Tunneling"; content: "SID: 5188 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105188; sid: 6105188; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Perl PerlIS.dll Buffer Overflow"; content: "SID: 5191 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105191; sid: 6105191; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Server .ht File Access"; content: "SID: 5194 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105194; sid: 6105194; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AS/400 '/' attack"; content: "SID: 5195 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105195; sid: 6105195; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Red Hat Stronghold Recon attack"; content: "SID: 5196 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105196; sid: 6105196; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Network Query Tool command Exec"; content: "SID: 5197 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105197; sid: 6105197; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] W3Mail Command Exec"; content: "SID: 5199 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105199; sid: 6105199; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Data Stream Source Disclosure"; content: "SID: 5200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105200; sid: 6105200; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP-Nuke Cross Site Scripting"; content: "SID: 5201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105201; sid: 6105201; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP-Nuke File Copy / Delete"; content: "SID: 5202 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105202; sid: 6105202; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hosting Controller File Access and Upload"; content: "SID: 5203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105203; sid: 6105203; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AspUpload Sample Scripts"; content: "SID: 5204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105204; sid: 6105204; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache php.exe File Disclosure"; content: "SID: 5205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105205; sid: 6105205; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Horde IMP Session Hijack"; content: "SID: 5206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105206; sid: 6105206; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Entrust GetAccess directory traversal"; content: "SID: 5207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105207; sid: 6105207; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Network Tools shell metacharacters"; content: "SID: 5208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105208; sid: 6105208; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Agora.cgi Cross Site Scripting"; content: "SID: 5209 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105209; sid: 6105209; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FAQManager.cgi directory traversal"; content: "SID: 5210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105210; sid: 6105210; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] zml.cgi File Disclosure"; content: "SID: 5211 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105211; sid: 6105211; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bugzilla Admin Authorization Bypass"; content: "SID: 5212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105212; sid: 6105212; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bugzilla Command Exec"; content: "SID: 5213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105213; sid: 6105213; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FAQManager.cgi null bytes"; content: "SID: 5214 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105214; sid: 6105214; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] lastlines.cgi cmd exec/traversal"; content: "SID: 5215 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105215; sid: 6105215; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Rocket Directory Traversal"; content: "SID: 5216 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105216; sid: 6105216; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webmin Directory Traversal"; content: "SID: 5217 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105217; sid: 6105217; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Boozt Buffer Overflow"; content: "SID: 5218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105218; sid: 6105218; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Domino database DoS"; content: "SID: 5219 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105219; sid: 6105219; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CSVForm Remote Command Exec"; content: "SID: 5220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105220; sid: 6105220; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Hosting Controller Directory Traversal"; content: "SID: 5221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105221; sid: 6105221; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DoS Beer"; content: "SID: 5222 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105222; sid: 6105222; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Pi3Web Buffer Overflow"; content: "SID: 5223 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105223; sid: 6105223; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SquirrelMail SquirrelSpell Command Exec"; content: "SID: 5224 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105224; sid: 6105224; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCP Portal Root Path Disclosure"; content: "SID: 5229 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105229; sid: 6105229; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Domino Authentication Bypass"; content: "SID: 5230 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105230; sid: 6105230; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MRTG Directory Traversal"; content: "SID: 5231 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105231; sid: 6105231; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] URL with XSS"; content: "SID: 5232 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105232; sid: 6105232; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP fileupload Buffer Overflow"; content: "SID: 5233 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105233; sid: 6105233; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] pforum sql-injection"; content: "SID: 5234 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105234; sid: 6105234; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mac OS X URI Handler Arbitrary Code Execution"; content: "SID: 5235 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105235; sid: 6105235; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xoops sql-injection"; content: "SID: 5236 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105236; sid: 6105236; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP CONNECT Tunnel"; content: "SID: 5237 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105237; sid: 6105237; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EZNET Ezboard Buffer Overflow"; content: "SID: 5238 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105238; sid: 6105238; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sambar cgitest.exe Buffer Overflow"; content: "SID: 5239 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105239; sid: 6105239; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Marcus Xenakis Shell Command Exec"; content: "SID: 5240 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105240; sid: 6105240; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avenger System Command Exec"; content: "SID: 5241 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105241; sid: 6105241; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CS .cgi Script Cmd Exec"; content: "SID: 5243 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105243; sid: 6105243; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PhpSmsSend Command Exec"; content: "SID: 5244 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105244; sid: 6105244; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP 1.1 Chunked Encoding Transfer"; content: "SID: 5245 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105245; sid: 6105245; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ISAPI Filter Buffer Overflow"; content: "SID: 5246 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105246; sid: 6105246; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ASP SSI Buffer Overflow"; content: "SID: 5247 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105247; sid: 6105247; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS HTR ISAPI Buffer Overflow"; content: "SID: 5248 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105248; sid: 6105248; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Allaire JRun // Directory Disclosure"; content: "SID: 5251 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105251; sid: 6105251; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Allaire JRun Session ID Recon"; content: "SID: 5252 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105252; sid: 6105252; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Axis StorPoint CD Authentication Bypass"; content: "SID: 5253 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105253; sid: 6105253; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Linux Directory traceroute / nslookup Command Exec"; content: "SID: 5255 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105255; sid: 6105255; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Dot Dot Slash in URI"; content: "SID: 5256 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105256; sid: 6105256; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPNetToolpack traceroute Command Exec"; content: "SID: 5257 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105257; sid: 6105257; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Script source disclosure with CodeBrws.asp"; content: "SID: 5258 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105258; sid: 6105258; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snitz Forums SQL injection"; content: "SID: 5259 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105259; sid: 6105259; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xpede sprc.asp SQL Injection"; content: "SID: 5260 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105260; sid: 6105260; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BackOffice Server Web Administration Access"; content: "SID: 5261 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105261; sid: 6105261; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large number of Slashes URL"; content: "SID: 5262 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105262; sid: 6105262; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ecware.exe Access"; content: "SID: 5263 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105263; sid: 6105263; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RedHat cachemgr.cgi Access"; content: "SID: 5265 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105265; sid: 6105265; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iCat Carbo Server File Disclosure"; content: "SID: 5266 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105266; sid: 6105266; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Catalyst Remote Command Execution"; content: "SID: 5268 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105268; sid: 6105268; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ColdFusion CFDOCS Directory Access"; content: "SID: 5269 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105269; sid: 6105269; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EZ-Mall order.log File Access"; content: "SID: 5270 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105270; sid: 6105270; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] search.cgi Directory Traversal"; content: "SID: 5271 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105271; sid: 6105271; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] count.cgi GIF File Disclosure"; content: "SID: 5272 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105272; sid: 6105272; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bannermatic Sensitive File Access"; content: "SID: 5273 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105273; sid: 6105273; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netpad.cgi Directory Traversal/Cmd Exec"; content: "SID: 5274 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105274; sid: 6105274; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Phorum Remote Cmd Exec"; content: "SID: 5275 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105275; sid: 6105275; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Dansie cart.cgi Vulnerability"; content: "SID: 5276 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105276; sid: 6105276; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] dfire.cgi Command Exec"; content: "SID: 5277 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105277; sid: 6105277; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VP-ASP shoptest.asp access"; content: "SID: 5278 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105278; sid: 6105278; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JJ Cgi Cmd Exec"; content: "SID: 5279 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105279; sid: 6105279; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS idq.dll Directory Traversal"; content: "SID: 5280 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105280; sid: 6105280; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Carello add.exe Access"; content: "SID: 5281 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105281; sid: 6105281; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ExAir advsearch.asp Access"; content: "SID: 5282 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105282; sid: 6105282; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] info2www CGI Directory Traversal"; content: "SID: 5283 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105283; sid: 6105283; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS webhits.dll Directory Traversal"; content: "SID: 5284 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105284; sid: 6105284; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPEventCalendar Cmd Exec"; content: "SID: 5285 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105285; sid: 6105285; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebScripts WebBBS Cmd Exec"; content: "SID: 5286 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105286; sid: 6105286; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SiteServer AdSamples SITE.CSC File Access"; content: "SID: 5287 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105287; sid: 6105287; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Verity search97 Directory Traversal"; content: "SID: 5288 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105288; sid: 6105288; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SQLXML ISAPI Buffer Overflow"; content: "SID: 5289 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105289; sid: 6105289; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat DefaultServlet File Disclosure"; content: "SID: 5290 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105290; sid: 6105290; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WEB-INF Dot File Disclosure"; content: "SID: 5291 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105291; sid: 6105291; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SalesCart shop.mdb File Access"; content: "SID: 5292 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105292; sid: 6105292; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] robots.txt File Access"; content: "SID: 5293 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105293; sid: 6105293; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BearShare File Disclosure"; content: "SID: 5294 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105294; sid: 6105294; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] finger CGI Recon"; content: "SID: 5295 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105295; sid: 6105295; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape Server PageServices Directory Access"; content: "SID: 5296 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105296; sid: 6105296; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] order_log.dat File Access"; content: "SID: 5297 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105297; sid: 6105297; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] shopper.conf File Access"; content: "SID: 5298 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105298; sid: 6105298; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] quikstore.cfg File Access"; content: "SID: 5299 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105299; sid: 6105299; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] reg_echo.cgi Recon"; content: "SID: 5300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105300; sid: 6105300; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] /consolehelp/ CGI File Access"; content: "SID: 5301 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105301; sid: 6105301; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] /file/ WebLogic File Access"; content: "SID: 5302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105302; sid: 6105302; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] pfdispaly.cgi Command Execution"; content: "SID: 5303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105303; sid: 6105303; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] files.pl File Access"; content: "SID: 5304 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105304; sid: 6105304; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] .bash_history File Access"; content: "SID: 5305 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105305; sid: 6105305; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SoftCart storemgr.pw File Access"; content: "SID: 5306 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105306; sid: 6105306; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mercantec Softcart Overflow"; content: "SID: 5307 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105307; sid: 6105307; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rpc-nlog.pl Command Execution"; content: "SID: 5308 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105308; sid: 6105308; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Handler CGI Command Execution"; content: "SID: 5309 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105309; sid: 6105309; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] INDEX / directory access"; content: "SID: 5310 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105310; sid: 6105310; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] 8.3 file name access"; content: "SID: 5311 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105311; sid: 6105311; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] *.jsp/*.jhtml Java Execution"; content: "SID: 5312 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105312; sid: 6105312; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] order.log File Access"; content: "SID: 5313 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105313; sid: 6105313; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] windmail.exe Command Execution"; content: "SID: 5314 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105314; sid: 6105314; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] changedisplay.pl WWWthreads Privilege Elevation"; content: "SID: 5315 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105315; sid: 6105315; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BadBlue Admin Command Exec"; content: "SID: 5316 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105316; sid: 6105316; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tivoli Endpoint Buffer Overflow"; content: "SID: 5317 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105317; sid: 6105317; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tivoli ManagedNode Buffer Overflow"; content: "SID: 5318 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105318; sid: 6105318; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SoftCart orders Directory Access"; content: "SID: 5319 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105319; sid: 6105319; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ColdFusion administrator Directory Access"; content: "SID: 5320 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105320; sid: 6105320; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Guest Book CGI access"; content: "SID: 5321 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105321; sid: 6105321; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Long HTTP Request"; content: "SID: 5322 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105322; sid: 6105322; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] midicart.mdb File Access"; content: "SID: 5323 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105323; sid: 6105323; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Query (?/)"; content: "SID: 5324 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105324; sid: 6105324; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Contivity cgiproc DoS"; content: "SID: 5325 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105325; sid: 6105325; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Root.exe access"; content: "SID: 5326 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105326; sid: 6105326; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tilde in URI"; content: "SID: 5327 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105327; sid: 6105327; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP phone DoS"; content: "SID: 5328 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105328; sid: 6105328; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache/mod_ssl Worm Probe"; content: "SID: 5329 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105329; sid: 6105329; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache/mod_ssl Worm Buffer Overflow"; content: "SID: 5330 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105330; sid: 6105330; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Image Javascript insertion"; content: "SID: 5331 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105331; sid: 6105331; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wordtrans-web Command Exec"; content: "SID: 5332 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105332; sid: 6105332; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FUDForum File Disclosure"; content: "SID: 5333 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105333; sid: 6105333; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DB4Web File Disclosure"; content: "SID: 5334 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105334; sid: 6105334; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DB4WEB Proxy Scan"; content: "SID: 5335 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105335; sid: 6105335; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Abyss Web Server File Disclosure"; content: "SID: 5336 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105336; sid: 6105336; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Dot Dot Slash in HTTP Arguments"; content: "SID: 5337 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105337; sid: 6105337; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Front Page Admin password retrival"; content: "SID: 5338 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105338; sid: 6105338; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SunONE Directory Traversal"; content: "SID: 5339 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105339; sid: 6105339; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Killer Protection Credential File Access"; content: "SID: 5340 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105340; sid: 6105340; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Procurve 4000M Switch DoS"; content: "SID: 5341 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105341; sid: 6105341; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invision Board phpinfo.php Recon"; content: "SID: 5342 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105342; sid: 6105342; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Host Header Cross Site Scripting"; content: "SID: 5343 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105343; sid: 6105343; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS MDAC RDS Buffer Overflow"; content: "SID: 5344 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105344; sid: 6105344; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTPBench Information Disclosure"; content: "SID: 5345 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105345; sid: 6105345; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BadBlue Information Disclosure"; content: "SID: 5346 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105346; sid: 6105346; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xoops WebChat SQL Injection"; content: "SID: 5347 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105347; sid: 6105347; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cobalt RaQ Server overflow.cgi Cmd Exec"; content: "SID: 5348 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105348; sid: 6105348; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Polycom ViewStation Admin Password"; content: "SID: 5349 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105349; sid: 6105349; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHPnuke email attachment access"; content: "SID: 5350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105350; sid: 6105350; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS IE Help Overflow"; content: "SID: 5351 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105351; sid: 6105351; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H-Sphere Webshell Buffer Overflow"; content: "SID: 5352 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105352; sid: 6105352; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H-Sphere Webshell 'mode' URI exec"; content: "SID: 5353 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105353; sid: 6105353; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] H-Sphere Webshell 'zipfile' URI exec"; content: "SID: 5354 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105354; sid: 6105354; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DotBr exec.php3 exec"; content: "SID: 5355 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105355; sid: 6105355; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DotBr system.php3 exec"; content: "SID: 5356 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105356; sid: 6105356; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMP SQL Injection"; content: "SID: 5357 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105357; sid: 6105357; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Psunami.CGI Remote Command Execution"; content: "SID: 5358 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105358; sid: 6105358; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Scan CGI Scripts Access"; content: "SID: 5359 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105359; sid: 6105359; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage htimage.exe Buffer Overflow"; content: "SID: 5360 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105360; sid: 6105360; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage dvwssr.dll Buffer Overflow"; content: "SID: 5362 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105362; sid: 6105362; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage imagemap.exe Buffer Overflow"; content: "SID: 5363 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105363; sid: 6105363; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS WebDAV Overflow"; content: "SID: 5364 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105364; sid: 6105364; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long WebDAV Request"; content: "SID: 5365 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105365; sid: 6105365; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Shell Code in HTTP URL / Args"; content: "SID: 5366 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105366; sid: 6105366; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache CR LF DoS"; content: "SID: 5367 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105367; sid: 6105367; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ACS Windows CSAdmin Overflow"; content: "SID: 5368 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105368; sid: 6105368; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Win32 Apache Batch File CmdExec"; content: "SID: 5369 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105369; sid: 6105369; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTDig File Disclosure"; content: "SID: 5370 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105370; sid: 6105370; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] bdir.htr Access"; content: "SID: 5371 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105371; sid: 6105371; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ASP %20 source disclosure"; content: "SID: 5372 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105372; sid: 6105372; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS 5 Translate: f Source Disclosure"; content: "SID: 5373 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105373; sid: 6105373; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Executable File Command Exec"; content: "SID: 5374 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105374; sid: 6105374; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache mod_dav Overflow"; content: "SID: 5375 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105375; sid: 6105375; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iisPROTECT Admin SQL Injection"; content: "SID: 5376 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105376; sid: 6105376; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP args to xp_cmdshell in HTTP Request"; content: "SID: 5377 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105377; sid: 6105377; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Vignette TCL Injection Command Exec"; content: "SID: 5378 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105378; sid: 6105378; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Services Logging ISAPI Overflow"; content: "SID: 5379 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105379; sid: 6105379; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpBB SQL injection"; content: "SID: 5380 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105380; sid: 6105380; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VPASP SQL injection"; content: "SID: 5381 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105381; sid: 6105381; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Xpressions SQL Admin Bypass"; content: "SID: 5382 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105382; sid: 6105382; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cyberstrong eShop SQL Injection"; content: "SID: 5383 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105383; sid: 6105383; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CiscoWorks User Priviledge Modification"; content: "SID: 5385 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105385; sid: 6105385; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CiscoWorks Command Exec"; content: "SID: 5386 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105386; sid: 6105386; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerio MailServer Webmail multiple overflows"; content: "SID: 5388 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105388; sid: 6105388; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebAdmin Long User Name Logon Buffer Overflow"; content: "SID: 5389 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105389; sid: 6105389; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Swen Worm HTTP Counter Update Attempt"; content: "SID: 5390 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105390; sid: 6105390; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FrontPage Server Extensions Buffer Overflow"; content: "SID: 5391 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105391; sid: 6105391; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer XML Object Overflow Type 1"; content: "SID: 5392 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105392; sid: 6105392; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer XML Object Overflow Type 2"; content: "SID: 5393 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105393; sid: 6105393; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache mod_gzip Overflow"; content: "SID: 5394 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105394; sid: 6105394; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco ACNS Authentication Library Buffer Overflow"; content: "SID: 5395 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105395; sid: 6105395; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SiteInteractive Subscribe Me setup.pl Command Exec"; content: "SID: 5397 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105397; sid: 6105397; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ALT-N MDaemon form2raw.cgi Buffer Overflow"; content: "SID: 5399 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105399; sid: 6105399; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Beagle.B (Bagle.B) Web Beacon"; content: "SID: 5400 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105400; sid: 6105400; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook mailto Quote Malformed URI"; content: "SID: 5401 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105401; sid: 6105401; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer URL Spoofing"; content: "SID: 5402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105402; sid: 6105402; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL SSL OR TLS Malformed Handshake DoS"; content: "SID: 5403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105403; sid: 6105403; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Uninitialized Memory Corruption"; content: "SID: 5404 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105404; sid: 6105404; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS nsiislog.dll long argument overflow"; content: "SID: 5405 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105405; sid: 6105405; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Illegal MHTML URL"; content: "SID: 5406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105406; sid: 6105406; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS PCT Overflow"; content: "SID: 5407 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105407; sid: 6105407; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows HCP URI Parsing Script Exec"; content: "SID: 5408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105408; sid: 6105408; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft HCP Remote Code Execution"; content: "SID: 5409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105409; sid: 6105409; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] APSIS Pound Remote Format String Overflow"; content: "SID: 5410 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105410; sid: 6105410; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Linksys Http DoS"; content: "SID: 5411 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105411; sid: 6105411; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM Goaway Message Overflow"; content: "SID: 5412 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105412; sid: 6105412; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WhatsUp Gold Buffer Overflow Vulnerability"; content: "SID: 5413 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105413; sid: 6105413; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft NNTP Heap Overflow Vulnerability"; content: "SID: 5414 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105414; sid: 6105414; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE object data remote execution"; content: "SID: 5416 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105416; sid: 6105416; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Object Tag Overflow"; content: "SID: 5417 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105417; sid: 6105417; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Cross Site Scripting .htw"; content: "SID: 5418 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105418; sid: 6105418; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Frontpage Path Disclosure"; content: "SID: 5419 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105419; sid: 6105419; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS TRACK Requests"; content: "SID: 5420 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105420; sid: 6105420; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS UNC Disclosure"; content: "SID: 5421 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105421; sid: 6105421; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ISAPI Extension Enumeration"; content: "SID: 5422 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105422; sid: 6105422; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS ism.dll Access"; content: "SID: 5423 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105423; sid: 6105423; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HRAlign Buffer Overflow"; content: "SID: 5424 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105424; sid: 6105424; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer IFRAME Tag Overflow"; content: "SID: 5425 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105425; sid: 6105425; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netscape NSS SSLv2 Hello Message Overflow"; content: "SID: 5426 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105426; sid: 6105426; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Space Character DoS"; content: "SID: 5427 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105427; sid: 6105427; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CNS Registrar DoS"; content: "SID: 5428 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105428; sid: 6105428; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WINS Replication Protocol Buffer Overflow"; content: "SID: 5429 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105429; sid: 6105429; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Darwin Streaming Server DoS"; content: "SID: 5430 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105430; sid: 6105430; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS W3Who Vulnerabilties"; content: "SID: 5431 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105431; sid: 6105431; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Script Embedded in HTTP Header"; content: "SID: 5432 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105432; sid: 6105432; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jabberd Username Overflow"; content: "SID: 5433 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105433; sid: 6105433; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Registration Request Overflow"; content: "SID: 5434 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105434; sid: 6105434; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Crystal Reports Remote Code Execution"; content: "SID: 5435 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105435; sid: 6105435; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RXBot Activity"; content: "SID: 5436 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105436; sid: 6105436; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpBB highlight parameter"; content: "SID: 5437 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105437; sid: 6105437; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS Call Processing Solutions DoS"; content: "SID: 5438 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105438; sid: 6105438; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Loadimage API Overflow"; content: "SID: 5439 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105439; sid: 6105439; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IRC Bot Activity"; content: "SID: 5440 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105440; sid: 6105440; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Help File Overflow Vulnerability"; content: "SID: 5441 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105441; sid: 6105441; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cursor/Icon File Format Buffer Overflow"; content: "SID: 5442 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105442; sid: 6105442; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft ActiveX Help Control"; content: "SID: 5443 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105443; sid: 6105443; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebAgent logon Buffer Overflow"; content: "SID: 5444 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105444; sid: 6105444; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AWStats configdir Command Exec"; content: "SID: 5445 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105445; sid: 6105445; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Install Engine Overflow"; content: "SID: 5446 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105446; sid: 6105446; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VB.aw Trojan/Back Door"; content: "SID: 5447 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105447; sid: 6105447; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Blaster Worm"; content: "SID: 5448 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105448; sid: 6105448; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Massacre Virus Attachment"; content: "SID: 5449 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105449; sid: 6105449; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Love Letter Worm Attachment"; content: "SID: 5450 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105450; sid: 6105450; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS WebDAV DoS"; content: "SID: 5451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105451; sid: 6105451; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office XP URL Processing Buffer Overflow"; content: "SID: 5452 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105452; sid: 6105452; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AWStats Plugin Command Exec"; content: "SID: 5453 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105453; sid: 6105453; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exim SPA Authentication Buffer Overflow"; content: "SID: 5454 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105454; sid: 6105454; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arkeia Type 77 Request Buffer Overflow"; content: "SID: 5455 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105455; sid: 6105455; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer 5 ie5filex Exploit"; content: "SID: 5456 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105456; sid: 6105456; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WU-FTPD DoS"; content: "SID: 5457 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105457; sid: 6105457; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebConnect MS-DOS Device Name DoS"; content: "SID: 5458 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105458; sid: 6105458; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebConnect Directory Traversal Vulnerability"; content: "SID: 5459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105459; sid: 6105459; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpMyAdmin phpmyadmin.css.php File Disclosure"; content: "SID: 5460 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105460; sid: 6105460; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BadBlue MFCISAPICommand Buffer Overflow"; content: "SID: 5461 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105461; sid: 6105461; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] phpBB Authentication Bypass"; content: "SID: 5462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105462; sid: 6105462; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Software GETCONFIG Buffer Overflow"; content: "SID: 5463 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105463; sid: 6105463; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite Network Buffer Overflow"; content: "SID: 5464 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105464; sid: 6105464; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite Checksum Buffer Overflow"; content: "SID: 5465 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105465; sid: 6105465; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite PUTOLF Buffer Overflow"; content: "SID: 5466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105466; sid: 6105466; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite PUTOLF Directory Traversal"; content: "SID: 5467 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105467; sid: 6105467; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates License Suite Invalid Command Overflow"; content: "SID: 5468 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105468; sid: 6105468; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TrackerCam PHP Argument Overflow"; content: "SID: 5469 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105469; sid: 6105469; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SafeNet Sentinel Buffer Overflow"; content: "SID: 5471 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105471; sid: 6105471; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Sysimage Handler Local Executable Reference"; content: "SID: 5472 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105472; sid: 6105472; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Java JNLP File Command Injection"; content: "SID: 5473 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105473; sid: 6105473; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] SQL Query in HTTP Request"; content: "SID: 5474 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105474; sid: 6105474; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor ARCserve Backup Universal Agent Overflow"; content: "SID: 5475 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105475; sid: 6105475; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Application Execution"; content: "SID: 5476 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105476; sid: 6105476; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Possible Heap Payload Construction"; content: "SID: 5477 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105477; sid: 6105477; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Exchange SMTP Overflow"; content: "SID: 5478 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105478; sid: 6105478; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebDAV Lock-Token Overflow"; content: "SID: 5479 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105479; sid: 6105479; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebDAV If Header Overflow"; content: "SID: 5480 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105480; sid: 6105480; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL MaxDB WebDBM Overflow"; content: "SID: 5481 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105481; sid: 6105481; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server Login Overflow"; content: "SID: 5482 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105482; sid: 6105482; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Content Advisor Buffer Overflow"; content: "SID: 5483 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105483; sid: 6105483; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sambar Server Search Overflow"; content: "SID: 5484 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105484; sid: 6105484; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISS PAM.dll ICQ Parser Buffer Overflow"; content: "SID: 5485 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105485; sid: 6105485; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple File Service LoginExt Overflow"; content: "SID: 5486 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105486; sid: 6105486; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IA WebMail Buffer Overflow"; content: "SID: 5487 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105487; sid: 6105487; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Icecast Server HTTP Header Buffer Overflow"; content: "SID: 5488 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105488; sid: 6105488; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MyTOB Virus Activity"; content: "SID: 5489 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105489; sid: 6105489; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript IFRAME Exploitation"; content: "SID: 5490 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105490; sid: 6105490; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript Install Trigger Function"; content: "SID: 5491 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105491; sid: 6105491; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wurmark Virus Activity"; content: "SID: 5492 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105492; sid: 6105492; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Llsrpc Bind"; content: "SID: 5493 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105493; sid: 6105493; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webview Script Injection"; content: "SID: 5494 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105494; sid: 6105494; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LDAP Active Directory Stack Overflow"; content: "SID: 5495 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105495; sid: 6105495; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] License Logging Service Overflow"; content: "SID: 5496 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105496; sid: 6105496; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMTP BDAT Vulnerability"; content: "SID: 5497 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105497; sid: 6105497; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Media Player IE Zone Bypass"; content: "SID: 5498 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105498; sid: 6105498; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Link in Object Tag in IE"; content: "SID: 5499 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105499; sid: 6105499; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE .asp File Execution"; content: "SID: 5500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105500; sid: 6105500; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE ActiveX ADODB Stream"; content: "SID: 5501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105501; sid: 6105501; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Llssrv RPC Activity"; content: "SID: 5502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105502; sid: 6105502; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Object Creation In IE Local Zone"; content: "SID: 5503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105503; sid: 6105503; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor Backup Discovery UDP Probe Overflow"; content: "SID: 5504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105504; sid: 6105504; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIP Trace"; content: "SID: 5505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105505; sid: 6105505; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Orifice Ping"; content: "SID: 5506 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105506; sid: 6105506; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unreal Engine /secure/ Overflow"; content: "SID: 5507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105507; sid: 6105507; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed IKE Packet DoS"; content: "SID: 5508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105508; sid: 6105508; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tftp Passwd File"; content: "SID: 5509 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105509; sid: 6105509; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco TFTPD Directory Traversal"; content: "SID: 5510 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105510; sid: 6105510; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ascend Denial of Service"; content: "SID: 5511 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105511; sid: 6105511; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Cisco SNMP Message Processing DoS"; content: "SID: 5512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105512; sid: 6105512; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community String Public"; content: "SID: 5513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105513; sid: 6105513; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP VC Embedded Community Names"; content: "SID: 5514 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105514; sid: 6105514; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE DHTML Edit Control"; content: "SID: 5515 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105515; sid: 6105515; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Wildcard DoS"; content: "SID: 5516 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105516; sid: 6105516; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AnswerBook2 Format String"; content: "SID: 5517 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105517; sid: 6105517; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quake Server Connect DoS"; content: "SID: 5518 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105518; sid: 6105518; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Popup Blocker Bypass"; content: "SID: 5519 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105519; sid: 6105519; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XEXCH50 Command Usage"; content: "SID: 5520 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105520; sid: 6105520; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nested Array Sort Loop DoS"; content: "SID: 5521 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105521; sid: 6105521; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jet Database Engine Shell Command Injection"; content: "SID: 5523 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105523; sid: 6105523; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Font Tag Split"; content: "SID: 5524 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105524; sid: 6105524; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Express Overflow"; content: "SID: 5525 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105525; sid: 6105525; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Environment Option Information Disclosure"; content: "SID: 5526 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105526; sid: 6105526; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Index HTW Cross Site Scripting"; content: "SID: 5527 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105527; sid: 6105527; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS5 SEARCH overflow"; content: "SID: 5528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105528; sid: 6105528; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CheckPoint Firewall RDP ByPass"; content: "SID: 5529 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105529; sid: 6105529; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Discover"; content: "SID: 5530 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105530; sid: 6105530; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Status Bar Spoof"; content: "SID: 5531 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105531; sid: 6105531; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Door Deltasource"; content: "SID: 5532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105532; sid: 6105532; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Door Remote Boot Tool"; content: "SID: 5533 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105533; sid: 6105533; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KaZaA UDP Client Probe"; content: "SID: 5534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105534; sid: 6105534; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Overnet Client Scan"; content: "SID: 5535 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105535; sid: 6105535; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gnutella File Search"; content: "SID: 5536 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105536; sid: 6105536; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] ICQ Client DNS Request"; content: "SID: 5537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105537; sid: 6105537; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] AIM Client DNS request"; content: "SID: 5538 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105538; sid: 6105538; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Yahoo Messenger Client DNS Request"; content: "SID: 5539 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105539; sid: 6105539; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] MSN Messenger Client DNS Request"; content: "SID: 5540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105540; sid: 6105540; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modem DoS"; content: "SID: 5541 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105541; sid: 6105541; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PingTunnel ICMP Tunneling"; content: "SID: 5543 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105543; sid: 6105543; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Back Door Blaaaaa"; content: "SID: 5544 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105544; sid: 6105544; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Request Smuggling Attempt"; content: "SID: 5545 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105545; sid: 6105545; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Key Exchange DoS"; content: "SID: 5546 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105546; sid: 6105546; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB File Name Overflow"; content: "SID: 5547 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105547; sid: 6105547; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Windows Remote Agent Password Overflow"; content: "SID: 5548 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105548; sid: 6105548; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Evolution Message Size Overflow"; content: "SID: 5549 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105549; sid: 6105549; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access Cross Site Scripting Vulnerability"; content: "SID: 5551 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105551; sid: 6105551; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player Skin File Code Execution Vulnerability"; content: "SID: 5552 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105552; sid: 6105552; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Finger and cFinger Double Star User List Search"; content: "SID: 5553 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105553; sid: 6105553; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Object Tag Overflow Runtime Script Exploit"; content: "SID: 5554 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105554; sid: 6105554; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Cisco ONS Telnet DOS"; content: "SID: 5555 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105555; sid: 6105555; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Javaprxy.dll Heap Overflow"; content: "SID: 5556 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105556; sid: 6105556; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ICC Color Management Module Vulnerability"; content: "SID: 5557 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105557; sid: 6105557; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Webcart Command Injection"; content: "SID: 5558 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105558; sid: 6105558; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Format String"; content: "SID: 5559 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105559; sid: 6105559; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable IMAP Overflow"; content: "SID: 5560 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105560; sid: 6105560; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows SMTP Overflow"; content: "SID: 5561 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105561; sid: 6105561; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Qpopper Overflow"; content: "SID: 5562 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105562; sid: 6105562; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ARCserve Backup MS-SQL Overflow"; content: "SID: 5564 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105564; sid: 6105564; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Print Spooler Service Overflow"; content: "SID: 5565 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105565; sid: 6105565; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Potential IE Cross Frame Scripting"; content: "SID: 5566 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105566; sid: 6105566; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Remote Registry Access"; content: "SID: 5567 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105567; sid: 6105567; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Veritas Backup Exec Agent Remote File Access"; content: "SID: 5568 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105568; sid: 6105568; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MDaemon Imap Authentication Overflow"; content: "SID: 5569 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105569; sid: 6105569; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ZOTOB Worm Activity"; content: "SID: 5570 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105570; sid: 6105570; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RBOT.CBQ Worm Activity"; content: "SID: 5571 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105571; sid: 6105571; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Design Tools Diagram Surface ActiveX Control"; content: "SID: 5572 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105572; sid: 6105572; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory Server iMonitor Buffer Overflow"; content: "SID: 5573 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105573; sid: 6105573; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenView Network Node Manager Command Injection"; content: "SID: 5574 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105574; sid: 6105574; rev: 3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Service Failed Login"; content: "SID: 5575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105575; sid: 6105575; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NBT NetBIOS Session Failed Login - Brute Force [5/3]"; content: "SID: 5575 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 3, seconds 300; fwsam: src, 1 day; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107002; sid: 6107002; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Login successful with Guest Privileges"; content: "SID: 5576 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105576; sid: 6105576; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NULL login attempt"; content: "SID: 5577 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105577; sid: 6105577; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB 95 98 Password File Access"; content: "SID: 5578 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105578; sid: 6105578; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Registry Access Attempt"; content: "SID: 5579 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105579; sid: 6105579; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Lsarpc Service Access Attempt"; content: "SID: 5580 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105580; sid: 6105580; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote Srvsvc Service Access Attempt"; content: "SID: 5581 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105581; sid: 6105581; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBIOS Enum Share DoS"; content: "SID: 5582 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105582; sid: 6105582; rev: 5;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Remote SAM Service Access Attempt"; content: "SID: 5583 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105583; sid: 6105583; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB .eml email file remote access"; content: "SID: 5584 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105584; sid: 6105584; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Suspicious Password Usage"; content: "SID: 5585 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105585; sid: 6105585; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Locator Service Overflow"; content: "SID: 5586 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105586; sid: 6105586; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows 9x NetBIOS NULL Name Vulnerability"; content: "SID: 5587 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105587; sid: 6105587; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows DCOM Overflow"; content: "SID: 5588 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105588; sid: 6105588; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB ADMIN Hidden Share Access Attempt"; content: "SID: 5589 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105589; sid: 6105589; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB User Enumeration"; content: "SID: 5590 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105590; sid: 6105590; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Windows Share Enumeration"; content: "SID: 5591 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105591; sid: 6105591; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB RFPoison Attack"; content: "SID: 5592 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105592; sid: 6105592; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB NIMDA Infected File Transfer"; content: "SID: 5593 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105593; sid: 6105593; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba call_trans2open Overflow"; content: "SID: 5594 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105594; sid: 6105594; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Startup Folder Remote Access"; content: "SID: 5595 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105595; sid: 6105595; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows SMB/RPC NoOp Sled"; content: "SID: 5596 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105596; sid: 6105596; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB MSRPC Messenger Overflow"; content: "SID: 5597 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105597; sid: 6105597; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Workstation Service Overflow"; content: "SID: 5598 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105598; sid: 6105598; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Anig Worm File Transfer"; content: "SID: 5599 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105599; sid: 6105599; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ASN.1 Bit String NTLMv2 Integer Overflow"; content: "SID: 5600 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105600; sid: 6105600; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows LSASS RPC Overflow"; content: "SID: 5601 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105601; sid: 6105601; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows System32 Directory File Access"; content: "SID: 5602 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105602; sid: 6105602; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSRPC Protocol violation"; content: "SID: 5603 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105603; sid: 6105603; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Account Locked"; content: "SID: 5605 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105605; sid: 6105605; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Authorization Failure"; content: "SID: 5606 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105606; sid: 6105606; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Network Supervisor Directory Traversal Vulnerability"; content: "SID: 5608 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105608; sid: 6105608; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE COM Object Memory Corruption Vulnerability"; content: "SID: 5609 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105609; sid: 6105609; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cacti Graph_Image.PHP Remote Command Execution Vulnerability"; content: "SID: 5610 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105610; sid: 6105610; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPress Cookie cache_lastpostdate Overflow"; content: "SID: 5611 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105611; sid: 6105611; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Unsolicited Response Storm"; content: "SID: 5612 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105612; sid: 6105612; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Cold Restart Request"; content: "SID: 5613 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105613; sid: 6105613; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Disable Unsolicited Responses"; content: "SID: 5614 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105614; sid: 6105614; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Read Request to a PLC"; content: "SID: 5615 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105615; sid: 6105615; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Stop Application"; content: "SID: 5616 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105616; sid: 6105616; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Warm Restart"; content: "SID: 5617 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105617; sid: 6105617; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Broadcast Request"; content: "SID: 5618 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105618; sid: 6105618; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-DNP3 Communication on a DNP3 Port"; content: "SID: 5619 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105619; sid: 6105619; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Write Request to a PLC"; content: "SID: 5620 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105620; sid: 6105620; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DNP3 - Miscellaneous Request to a PLC"; content: "SID: 5621 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105621; sid: 6105621; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Force Listen Only Mode"; content: "SID: 5622 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105622; sid: 6105622; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Restart Communications Option"; content: "SID: 5623 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105623; sid: 6105623; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Clear Counters and Diagnostic Registers"; content: "SID: 5624 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105624; sid: 6105624; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Read Device Identification"; content: "SID: 5625 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105625; sid: 6105625; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Report Server Information"; content: "SID: 5626 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105626; sid: 6105626; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Illegal Packet Size"; content: "SID: 5627 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105627; sid: 6105627; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus Slave Device Busy Exception Code Delay"; content: "SID: 5628 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105628; sid: 6105628; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus Acknowledge Exception Code Delay"; content: "SID: 5629 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105629; sid: 6105629; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Read Request to a PLC"; content: "SID: 5630 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105630; sid: 6105630; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Write Request to a PLC"; content: "SID: 5631 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105631; sid: 6105631; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Modbus TCP - Non-Modbus Communication"; content: "SID: 5632 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105632; sid: 6105632; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] .HTR Source View"; content: "SID: 5633 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105633; sid: 6105633; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Barracuda Spam Firewall Command Execution"; content: "SID: 5634 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105634; sid: 6105634; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Plug and Play Overflow"; content: "SID: 5635 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105635; sid: 6105635; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] vBulletin Template PHP Code Injection Vulnerability"; content: "SID: 5636 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105636; sid: 6105636; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer FTP Download Path Traversal"; content: "SID: 5637 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105637; sid: 6105637; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP Command Injection"; content: "SID: 5638 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105638; sid: 6105638; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Web View Script Injection Vulnerability"; content: "SID: 5639 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105639; sid: 6105639; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XML Race Condition in Internet Explorer"; content: "SID: 5640 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105640; sid: 6105640; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS DTC DoS"; content: "SID: 5641 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105641; sid: 6105641; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow Overflow"; content: "SID: 5642 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105642; sid: 6105642; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sox WAV File Overflow"; content: "SID: 5643 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105643; sid: 6105643; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Client Service for NetWare Overflow"; content: "SID: 5644 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105644; sid: 6105644; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SSH URI Handler"; content: "SID: 5645 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105645; sid: 6105645; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gatekeeper Overflow"; content: "SID: 5646 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105646; sid: 6105646; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Savant Webserver Request Overflow"; content: "SID: 5647 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105647; sid: 6105647; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tomcat Denial of Service Attack"; content: "SID: 5648 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105648; sid: 6105648; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ESignal Remote Buffer Overflow"; content: "SID: 5649 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105649; sid: 6105649; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Finjan SurfinGate FHTTP Restart Command Execution"; content: "SID: 5650 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105650; sid: 6105650; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix Server DoS"; content: "SID: 5651 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105651; sid: 6105651; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Directory Traversal"; content: "SID: 5652 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105652; sid: 6105652; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco WLSE/HSE Default Username"; content: "SID: 5653 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105653; sid: 6105653; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Root Drive Access Attempt"; content: "SID: 5654 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105654; sid: 6105654; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cobalt RaQ Cross Site Scripting Vulnerability"; content: "SID: 5655 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105655; sid: 6105655; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle TNS Listener DoS"; content: "SID: 5656 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105656; sid: 6105656; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AMLServer Local Path Disclosure"; content: "SID: 5657 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105657; sid: 6105657; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat JSP Engine DoS"; content: "SID: 5658 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105658; sid: 6105658; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VMWare GSX Server Authentication Server Overflow"; content: "SID: 5659 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105659; sid: 6105659; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SquirrelMail Email Header Script Injection"; content: "SID: 5660 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105660; sid: 6105660; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Long HTTP Request"; content: "SID: 5661 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105661; sid: 6105661; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP POST Content-Type Overflow"; content: "SID: 5662 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105662; sid: 6105662; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CISCO-SDEE] NoOp Sled On HTTPS Port"; content: "SID: 5663 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105663; sid: 6105663; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat Null Byte File Disclosure"; content: "SID: 5664 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105664; sid: 6105664; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ultimate PHP Board Code Execution "; content: "SID: 5665 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105665; sid: 6105665; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unix chetcpasswd.cgi File Disclosure Vulnerability"; content: "SID: 5666 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105666; sid: 6105666; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Site Searcher Arbitrary Code Execution"; content: "SID: 5667 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105667; sid: 6105667; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unauthenticated FTP Connection"; content: "SID: 5668 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105668; sid: 6105668; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arkeia Type 74 Request Overflow"; content: "SID: 5669 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105669; sid: 6105669; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Select Excessive Length"; content: "SID: 5671 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105671; sid: 6105671; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates Message Queuing Buffer Overflow"; content: "SID: 5672 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105672; sid: 6105672; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Format String"; content: "SID: 5673 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105673; sid: 6105673; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snort Back Orifice Preprocessor Overflow"; content: "SID: 5674 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105674; sid: 6105674; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP-UX LPD Command Execution"; content: "SID: 5675 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105675; sid: 6105675; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] News Manager Lite Authentication Bypass"; content: "SID: 5676 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105676; sid: 6105676; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix Universal Server Overflow"; content: "SID: 5677 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105677; sid: 6105677; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AWStats Plugin Log Access"; content: "SID: 5678 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105678; sid: 6105678; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle TNS Listener Denial Of Service"; content: "SID: 5679 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105679; sid: 6105679; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Line Feed DoS"; content: "SID: 5680 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105680; sid: 6105680; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISC DHCP Daemon Buffer Overflow"; content: "SID: 5681 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105681; sid: 6105681; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Vista Feed Headlines Gadget Remote Code Execution"; content: "SID: 5683 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105683; sid: 6105683; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed SIP Packet"; content: "SID: 5684 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105684; sid: 6105684; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebBBS Command Execution Vulnerability"; content: "SID: 5685 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105685; sid: 6105685; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long POPPASSWD String Overflow"; content: "SID: 5686 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105686; sid: 6105686; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Frame Cross Zone Scripting"; content: "SID: 5687 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105687; sid: 6105687; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RSA WebAgent Redirect Overflow"; content: "SID: 5688 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105688; sid: 6105688; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSSQL Resolution Service Keep-Alive DoS"; content: "SID: 5689 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105689; sid: 6105689; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Flash Overflow"; content: "SID: 5692 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105692; sid: 6105692; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metafile Buffer Overflow"; content: "SID: 5693 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105693; sid: 6105693; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Enhanced Metafile Buffer Overflow"; content: "SID: 5694 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105694; sid: 6105694; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Enhanced Metafile DoS"; content: "SID: 5695 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105695; sid: 6105695; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Midi Decoder Overflow"; content: "SID: 5696 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105696; sid: 6105696; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Script in Email Body"; content: "SID: 5697 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105697; sid: 6105697; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LanMan DoS"; content: "SID: 5698 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105698; sid: 6105698; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SalesLogix File Upload Vulnerability"; content: "SID: 5699 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105699; sid: 6105699; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP cURL Arbitrary File Access"; content: "SID: 5700 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105700; sid: 6105700; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Soap Request"; content: "SID: 5701 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105701; sid: 6105701; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Video Surveillance IP Gateway Encoder/Decoder Telnet Authentication Vulnerability"; content: "SID: 5703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105703; sid: 6105703; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iPlanet Web Server Remote Root Command Execution"; content: "SID: 5705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105705; sid: 6105705; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Persistent Content in a Dynamic Webpage"; content: "SID: 5706 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105706; sid: 6105706; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SWAT Pre-Authentication Buffer Overflow"; content: "SID: 5708 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105708; sid: 6105708; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Eicar Standard Anti-Virus Test File"; content: "SID: 5710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105710; sid: 6105710; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed URL"; content: "SID: 5711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105711; sid: 6105711; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Zip File Name Overflow"; content: "SID: 5713 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105713; sid: 6105713; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GKrellM Buffer Overflow"; content: "SID: 5714 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105714; sid: 6105714; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SAP Internet Transaction Server Information Disclosure"; content: "SID: 5715 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105715; sid: 6105715; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Stack Group Bidding Protocol DoS"; content: "SID: 5716 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105716; sid: 6105716; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ipswitch SMTP Format String"; content: "SID: 5717 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105717; sid: 6105717; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VERITAS NetBackup Volume Manager Daemon Buffer Overflow"; content: "SID: 5718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105718; sid: 6105718; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lyris ListManager SQL Command Injection"; content: "SID: 5720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105720; sid: 6105720; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Appliance ProxyStyleSheet Command Execution"; content: "SID: 5722 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105722; sid: 6105722; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IIS .dll DoS"; content: "SID: 5723 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105723; sid: 6105723; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nikto Scan"; content: "SID: 5724 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105724; sid: 6105724; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell NMAP Agent Buffer Overflow"; content: "SID: 5725 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105725; sid: 6105725; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Directory Failed Login"; content: "SID: 5726 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105726; sid: 6105726; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco VPN 3000 Concentrator HTTP Attack Vulnerability"; content: "SID: 5727 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105727; sid: 6105727; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows IGMP DoS"; content: "SID: 5728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105728; sid: 6105728; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player Browser Plug-in Overflow"; content: "SID: 5729 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105729; sid: 6105729; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winamp Playlist File Handling Buffer Overflow"; content: "SID: 5730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105730; sid: 6105730; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player BMP Processing Vulnerability"; content: "SID: 5731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105731; sid: 6105731; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Web Client Remote Code Execution Vulnerability"; content: "SID: 5732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105732; sid: 6105732; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Long HTTP Header Hostname"; content: "SID: 5733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105733; sid: 6105733; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE isComponentInstalled() Overflow"; content: "SID: 5734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105734; sid: 6105734; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Flash Player ActionDefineFunction Code Execution"; content: "SID: 5735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105735; sid: 6105735; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WinVNC Client Buffer Overflow"; content: "SID: 5736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105736; sid: 6105736; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Action Handlers Overflow"; content: "SID: 5737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105737; sid: 6105737; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows ACS Registry Access"; content: "SID: 5738 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105738; sid: 6105738; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Active Directory Failed Login"; content: "SID: 5739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105739; sid: 6105739; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerio Personal Firewall Remote Authentication Buffer Overflow"; content: "SID: 5740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105740; sid: 6105740; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PeerCast Buffer Overflow"; content: "SID: 5743 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105743; sid: 6105743; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Login DoS"; content: "SID: 5744 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105744; sid: 6105744; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP REST command"; content: "SID: 5745 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105745; sid: 6105745; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP ALLO command"; content: "SID: 5746 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105746; sid: 6105746; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MDAC Function Remote Code Execution"; content: "SID: 5747 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105747; sid: 6105747; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-SMTP Session Start"; content: "SID: 5748 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105748; sid: 6105748; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Double Byte Character Parsing"; content: "SID: 5749 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105749; sid: 6105749; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WLSE Cross Site Scripting"; content: "SID: 5750 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105750; sid: 6105750; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ultr@VNC Client Overflow"; content: "SID: 5751 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105751; sid: 6105751; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sybase EAServer Overflow"; content: "SID: 5752 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105752; sid: 6105752; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Mailto Handler Vulnerability"; content: "SID: 5753 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105753; sid: 6105753; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PAJAX Remote Code Execution Vulnerability"; content: "SID: 5754 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105754; sid: 6105754; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Embedded TCP Connection Relay"; content: "SID: 5756 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105756; sid: 6105756; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Exchange Server Cross-Site Scripting"; content: "SID: 5757 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105757; sid: 6105757; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Bomberclone Buffer Overflow"; content: "SID: 5758 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105758; sid: 6105758; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VNC Authentication Bypass"; content: "SID: 5759 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105759; sid: 6105759; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise Messenger Accept-Language Value Overflow"; content: "SID: 5760 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105760; sid: 6105760; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ultr@VNC Server Overflow"; content: "SID: 5761 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105761; sid: 6105761; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wireless Control System Cross Server Site Scripting"; content: "SID: 5763 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105763; sid: 6105763; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ShixxNOTE Font Buffer Overflow"; content: "SID: 5764 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105764; sid: 6105764; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Horde Help Viewer Remote Code Execution"; content: "SID: 5765 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105765; sid: 6105765; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Resolution Response Code Execution"; content: "SID: 5766 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105766; sid: 6105766; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FreeSSHd Key Exchange Overflow"; content: "SID: 5767 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105767; sid: 6105767; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Warez Activity"; content: "SID: 5768 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105768; sid: 6105768; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Malformed HTTP Request"; content: "SID: 5769 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105769; sid: 6105769; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS XSS"; content: "SID: 5770 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105770; sid: 6105770; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winny Activity"; content: "SID: 5771 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105771; sid: 6105771; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ASP.NET Information Disclosure Vulnerability"; content: "SID: 5772 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105772; sid: 6105772; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Simple PHP Blog Unauthorized File Access"; content: "SID: 5773 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105773; sid: 6105773; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Player PNG Processing Remote Code Execution"; content: "SID: 5774 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105774; sid: 6105774; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MHTML Redirection"; content: "SID: 5775 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105775; sid: 6105775; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Routing and Remote Access Service Code Execution"; content: "SID: 5776 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105776; sid: 6105776; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Favicon Code Execution"; content: "SID: 5777 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105777; sid: 6105777; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Uplddrvinfo.htm File Deletion Vulnerability"; content: "SID: 5778 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105778; sid: 6105778; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Connection Request"; content: "SID: 5779 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105779; sid: 6105779; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Connection Established"; content: "SID: 5780 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105780; sid: 6105780; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Client Association"; content: "SID: 5781 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105781; sid: 6105781; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP MMS Write Request Attempt"; content: "SID: 5782 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105782; sid: 6105782; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP MMS Write Request Succeeded"; content: "SID: 5783 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105783; sid: 6105783; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Address Unknown Disconnect"; content: "SID: 5784 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105784; sid: 6105784; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP COTP Protocol Error Disconnect"; content: "SID: 5785 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105785; sid: 6105785; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Invalid OSI SSEL"; content: "SID: 5786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105786; sid: 6105786; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Invalid OSI PSEL"; content: "SID: 5787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105787; sid: 6105787; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ICCP Invalid TPKT Protocol"; content: "SID: 5788 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105788; sid: 6105788; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Tunnel Client Activity"; content: "SID: 5789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105789; sid: 6105789; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CS-MARS JBoss Vulnerability"; content: "SID: 5790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105790; sid: 6105790; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Hyperlink Object Library Buffer Overflow"; content: "SID: 5792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105792; sid: 6105792; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Server Driver Remote Execution"; content: "SID: 5793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105793; sid: 6105793; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Routing and Remote Access Service RASMAN Registry Stack Overflow"; content: "SID: 5794 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105794; sid: 6105794; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Option Overflow Code Execution"; content: "SID: 5795 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105795; sid: 6105795; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco IOS HTTP Unauthorized Command Execution"; content: "SID: 5796 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105796; sid: 6105796; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange Calendar DoS"; content: "SID: 5797 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105797; sid: 6105797; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mambo PHP sbp File Inclusion Vulnerability"; content: "SID: 5798 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105798; sid: 6105798; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Server Service Code Execution"; content: "SID: 5799 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105799; sid: 6105799; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Large Content-Type"; content: "SID: 5800 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105800; sid: 6105800; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime JPEG Code Execution Overflow"; content: "SID: 5801 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105801; sid: 6105801; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MHTML URI Buffer Overflow"; content: "SID: 5802 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105802; sid: 6105802; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sygate Login Servlet SQL Injection"; content: "SID: 5803 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105803; sid: 6105803; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VPN3000 Concentrator Unauthenticated FTP Access"; content: "SID: 5804 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105804; sid: 6105804; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VPN3000 Concentrator FTP RMD Execution"; content: "SID: 5805 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105805; sid: 6105805; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winny P2P Connection Activity"; content: "SID: 5806 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105806; sid: 6105806; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Indexing Service Cross Site Scripting Vulnerability"; content: "SID: 5807 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105807; sid: 6105807; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DCERPC Authentication DoS"; content: "SID: 5809 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105809; sid: 6105809; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SecureCRT SSH1 Buffer Overflow"; content: "SID: 5810 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105810; sid: 6105810; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IPS SSL DOS Vulnerability"; content: "SID: 5812 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105812; sid: 6105812; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Vector Markup Language Vulnerability"; content: "SID: 5813 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105813; sid: 6105813; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Step-by-Step Interactive Training Remote Code Execution"; content: "SID: 5814 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105814; sid: 6105814; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebViewFolderIcon setSlice() Overflow"; content: "SID: 5815 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105815; sid: 6105815; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TOR Client Activity"; content: "SID: 5816 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105816; sid: 6105816; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ASP .NET Cross Site Scripting"; content: "SID: 5817 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105817; sid: 6105817; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Metasploit Shellcode Encoder"; content: "SID: 5818 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105818; sid: 6105818; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long FTP XCRC XSHA1 XMD5 Command"; content: "SID: 5819 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105819; sid: 6105819; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec AntiVirus and Client Security Buffer Overflow"; content: "SID: 5820 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105820; sid: 6105820; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectAnimation ActiveX Memory Corruption"; content: "SID: 5821 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105821; sid: 6105821; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Workstation Service Memory Corruption Vulnerability"; content: "SID: 5822 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105822; sid: 6105822; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee Epolicy Overflow"; content: "SID: 5823 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105823; sid: 6105823; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Header DoS"; content: "SID: 5824 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105824; sid: 6105824; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Malformed Invite Packet"; content: "SID: 5825 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105825; sid: 6105825; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EIQ ESA Topology Delete Device Overflow"; content: "SID: 5826 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105826; sid: 6105826; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer ActiveX Control Arbitrary Code Execution"; content: "SID: 5827 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105827; sid: 6105827; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Server Side Cross Site Scripting"; content: "SID: 5828 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105828; sid: 6105828; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid SSL Packet"; content: "SID: 5829 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105829; sid: 6105829; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Cisco Secure Access Control Server HTTP Request Overflow"; content: "SID: 5830 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105830; sid: 6105830; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure Access Control Server RADIUS Accounting Request Vulnerability"; content: "SID: 5831 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105831; sid: 6105831; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS Crafted IP Option Vulnerability"; content: "SID: 5832 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105832; sid: 6105832; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime RTSP URL Vulnerability"; content: "SID: 5833 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105833; sid: 6105833; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS SIP DoS Vulnerability"; content: "SID: 5835 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105835; sid: 6105835; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed TCP packet"; content: "SID: 5837 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105837; sid: 6105837; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] IOS NAM SNMP Traffic"; content: "SID: 5838 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105838; sid: 6105838; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer FTP Server Response Code Execution"; content: "SID: 5839 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105839; sid: 6105839; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CLSID Code Execution"; content: "SID: 5840 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105840; sid: 6105840; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] CatOS NAM SNMP Traffic"; content: "SID: 5841 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105841; sid: 6105841; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Solaris Telnet Authentication Bypass"; content: "SID: 5842 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105842; sid: 6105842; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor Tape Engine Overflow"; content: "SID: 5843 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105843; sid: 6105843; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Memory Corruption Exploit"; content: "SID: 5845 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105845; sid: 6105845; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP 230 Reply Code"; content: "SID: 5846 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105846; sid: 6105846; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Successful Privileged Login"; content: "SID: 5847 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105847; sid: 6105847; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Content Management Service Cross-site Scripting"; content: "SID: 5848 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105848; sid: 6105848; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Content Management Server Vulnerability"; content: "SID: 5849 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105849; sid: 6105849; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snort DCE/RPC Preprocessor Vulnerability"; content: "SID: 5850 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105850; sid: 6105850; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WCS Administrative Directory Access"; content: "SID: 5851 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105851; sid: 6105851; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Malformed String Vulnerability"; content: "SID: 5852 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105852; sid: 6105852; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Invite DoS"; content: "SID: 5853 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105853; sid: 6105853; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CUCM/CUPS Denial of Service Vulnerability"; content: "SID: 5854 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105854; sid: 6105854; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Helix Remote Code Execution"; content: "SID: 5855 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105855; sid: 6105855; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Agent URL Parsing Remote Code Execution"; content: "SID: 5856 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105856; sid: 6105856; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UPnP Memory Corruption Vulnerability"; content: "SID: 5857 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105857; sid: 6105857; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Server RPC Interface Buffer Overflow"; content: "SID: 5858 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105858; sid: 6105858; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] uTorrent File Handling Buffer Overflow"; content: "SID: 5859 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105859; sid: 6105859; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS FTPd Successful Login"; content: "SID: 5860 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105860; sid: 6105860; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco CNS Netflow Collection Engine Default Password"; content: "SID: 5861 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105861; sid: 6105861; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access UTF Character Script Execution"; content: "SID: 5862 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105862; sid: 6105862; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CAPICOM.Certificates Remote Code Execution"; content: "SID: 5863 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105863; sid: 6105863; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Exchange Server IMAP Literal Processing Vulnerability"; content: "SID: 5864 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105864; sid: 6105864; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft WMS Arbitrary File Rewrite Vulnerability"; content: "SID: 5865 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105865; sid: 6105865; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Domino IMAP CRAM-MD5 Overflow"; content: "SID: 5866 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105866; sid: 6105866; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Navigation Cancel Page Spoofing Vulnerability"; content: "SID: 5868 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105868; sid: 6105868; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer CSS Tag Memory Corruption"; content: "SID: 5869 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105869; sid: 6105869; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Win32 API Vulnerability"; content: "SID: 5870 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105870; sid: 6105870; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Urlmon.dll COM Object Instantiation"; content: "SID: 5871 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105871; sid: 6105871; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow"; content: "SID: 5873 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105873; sid: 6105873; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Speech API 4 ActiveX Overflow"; content: "SID: 5874 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105874; sid: 6105874; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WinZip ActiveX Control Instantiation"; content: "SID: 5876 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105876; sid: 6105876; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Protocol Handler Command Execution"; content: "SID: 5877 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105877; sid: 6105877; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VBE Object ID Buffer Overflow"; content: "SID: 5878 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105878; sid: 6105878; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple QuickTime Java QTPointer Vulnerability"; content: "SID: 5879 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105879; sid: 6105879; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Java Web Start JNLP File Stack Overflow"; content: "SID: 5880 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105880; sid: 6105880; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS NHRP Buffer Overflow"; content: "SID: 5884 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105884; sid: 6105884; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EnjoySAP kweditcontrol.kwedit Stack Overflow"; content: "SID: 5885 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105885; sid: 6105885; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Java Socks Proxy Overflow"; content: "SID: 5886 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105886; sid: 6105886; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PDWizard ActiveX Overflow"; content: "SID: 5887 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105887; sid: 6105887; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TLBINF32.DLL COM Object Instantiation"; content: "SID: 5888 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105888; sid: 6105888; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NeoTrace ActiveX Buffer Overflow"; content: "SID: 5889 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105889; sid: 6105889; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long IMAP SUBSCRIBE Command"; content: "SID: 5890 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105890; sid: 6105890; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Motive Communications ActiveUtils Buffer Overflow"; content: "SID: 5892 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105892; sid: 6105892; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IP Phone Remote Denial of Service"; content: "SID: 5893 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105893; sid: 6105893; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Storm Worm"; content: "SID: 5894 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105894; sid: 6105894; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Microsoft Agent HTTP Code Execution"; content: "SID: 5898 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105898; sid: 6105898; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MSN Messenger Webcam Buffer Overflow"; content: "SID: 5899 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105899; sid: 6105899; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AIM Message HTML Injection"; content: "SID: 5902 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105902; sid: 6105902; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS SharePoint XSS"; content: "SID: 5903 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105903; sid: 6105903; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoof"; content: "SID: 5905 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105905; sid: 6105905; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Malformed Word Document Code Execution"; content: "SID: 5906 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105906; sid: 6105906; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NNTP Overflow"; content: "SID: 5908 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105908; sid: 6105908; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Browser Address Bar Spoofing Attack"; content: "SID: 5909 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105909; sid: 6105909; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM Centralized TFTP File Locator Service Buffer Overflow"; content: "SID: 5910 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105910; sid: 6105910; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM SIP INVITE UDP Denial of Service"; content: "SID: 5912 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105912; sid: 6105912; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PIX/ASA/FWSM MGCP DoS"; content: "SID: 5913 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105913; sid: 6105913; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft FoxPro ActiveX Vulnerability"; content: "SID: 5915 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105915; sid: 6105915; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] URL Handler Vulnerability"; content: "SID: 5916 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105916; sid: 6105916; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AskJeeves Toolbar ActiveX Buffer Overflow"; content: "SID: 5918 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105918; sid: 6105918; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Kodak Image Viewer Overflow"; content: "SID: 5919 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105919; sid: 6105919; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime VRPanoSampleAtom Heap Overflow"; content: "SID: 5920 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105920; sid: 6105920; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime Color Table Overflow"; content: "SID: 5921 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105921; sid: 6105921; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BEA WebLogic Admin Console Cross Site Scripting"; content: "SID: 5922 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105922; sid: 6105922; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer FTP Client Directory Traversal issue"; content: "SID: 5923 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105923; sid: 6105923; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Browsers JavaScript Argument Passing Code Execution Vulnerability"; content: "SID: 5924 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105924; sid: 6105924; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer HTML Object Memory Corruption"; content: "SID: 5925 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105925; sid: 6105925; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle ctxsys.driload Access Violation Vulnerability"; content: "SID: 5926 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105926; sid: 6105926; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell GroupWise WebAccess Overflow"; content: "SID: 5927 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105927; sid: 6105927; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CSA for Windows System Driver Remote Buffer Overflow Vulnerability"; content: "SID: 5928 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105928; sid: 6105928; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee VirusScan File Name Overflow"; content: "SID: 5929 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105929; sid: 6105929; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic SQL Injection"; content: "SID: 5930 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105930; sid: 6105930; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Google Ratproxy"; content: "SID: 5931 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105931; sid: 6105931; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database DBMS_Scheduler Privilege Escalation"; content: "SID: 5933 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105933; sid: 6105933; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winamp MP4 Memory Corruption"; content: "SID: 5934 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105934; sid: 6105934; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime FlipFileTypeAtom_BtoN Underflow"; content: "SID: 5935 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105935; sid: 6105935; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime MOV Heap Overflow"; content: "SID: 5936 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105936; sid: 6105936; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database SUBSCRIPTION_NAME Parameter SQL Injection"; content: "SID: 5937 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105937; sid: 6105937; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database sys.pbsde.init Procedure Buffer Overflow"; content: "SID: 5938 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105938; sid: 6105938; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Text Box Memory Curruption"; content: "SID: 5939 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105939; sid: 6105939; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Objects Memory Corruption Vulnerability"; content: "SID: 5940 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105940; sid: 6105940; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows CSRSS Message Box Memory Corruption"; content: "SID: 5941 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105941; sid: 6105941; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo Messenger AudioConf ActiveX Overflow"; content: "SID: 5942 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105942; sid: 6105942; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server SQL Query Directory Traversal"; content: "SID: 5943 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105943; sid: 6105943; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eTrust IDS Encryption Key DoS"; content: "SID: 5944 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105944; sid: 6105944; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS IE Cross Frame Scripting Restriction Bypass"; content: "SID: 5945 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105945; sid: 6105945; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ingres Database uuid_from_char() Stack Overflow"; content: "SID: 5948 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105948; sid: 6105948; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple HP Web Jetadmin Vulnerabilities"; content: "SID: 5949 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105949; sid: 6105949; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Malformed String Code Execution"; content: "SID: 5950 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105950; sid: 6105950; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] BrightStor ARCserve Backup MSRPC Memory Corruption"; content: "SID: 5951 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105951; sid: 6105951; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPerfect Importer/Exporter Heap Overflow"; content: "SID: 5952 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105952; sid: 6105952; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat Directory Traversal"; content: "SID: 5953 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105953; sid: 6105953; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ePolicy Orchestrator SiteManager ActiveX Buffer Overflow"; content: "SID: 5954 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105954; sid: 6105954; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime udta Buffer Overflow"; content: "SID: 5955 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105955; sid: 6105955; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Vendor SOAP DoS"; content: "SID: 5956 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105956; sid: 6105956; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime Heap Corruption"; content: "SID: 5957 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105957; sid: 6105957; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix ICA Client ActiveX Control Buffer Overflow Vulnerability"; content: "SID: 5959 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105959; sid: 6105959; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Regular Expressions Heap Corruption"; content: "SID: 5960 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105960; sid: 6105960; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server MD2 package SDO_CODE_SIZE procedure Buffer Overflow"; content: "SID: 5961 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105961; sid: 6105961; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kerberos V5 Principal Name Buffer Overflow"; content: "SID: 5963 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105963; sid: 6105963; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup Server bpcd Long Request Buffer Overflow"; content: "SID: 5966 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105966; sid: 6105966; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Request Buffer Overflow"; content: "SID: 5967 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105967; sid: 6105967; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE daxctle.ocx KeyFrame Memory Curruption"; content: "SID: 5971 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105971; sid: 6105971; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime Movie Buffer Overflow"; content: "SID: 5972 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105972; sid: 6105972; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Publisher Font Overflow"; content: "SID: 5973 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105973; sid: 6105973; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server SDO_CS.TRANSFORM_LAYER Buffer Overflow"; content: "SID: 5974 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105974; sid: 6105974; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Media Player ASX Playlist Parsing Buffer Overflow"; content: "SID: 5975 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105975; sid: 6105975; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Avast! Remote LHA Buffer Overflow"; content: "SID: 5976 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105976; sid: 6105976; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DB2 Handshake DoS"; content: "SID: 5977 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105977; sid: 6105977; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable SMTP Service SPF Lookup Buffer Overflow"; content: "SID: 5978 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105978; sid: 6105978; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer COM Object Instantiation Memory Corruption"; content: "SID: 5979 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105979; sid: 6105979; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Speech API Buffer Overflow"; content: "SID: 5980 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105980; sid: 6105980; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Basic for Applications SDK Overflow"; content: "SID: 5982 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105982; sid: 6105982; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer VML Buffer Overrun"; content: "SID: 5983 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105983; sid: 6105983; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE COM Object Code Execution"; content: "SID: 5984 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105984; sid: 6105984; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Quicktime RTSP Content-Type Excessive Length"; content: "SID: 5985 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105985; sid: 6105985; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI GIF Parsing Vulnerability"; content: "SID: 5986 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105986; sid: 6105986; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Products SVG layout vulnerability"; content: "SID: 5987 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105987; sid: 6105987; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MaxDB WebDBM Buffer Overflow"; content: "SID: 5991 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105991; sid: 6105991; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE COM Object Instantiation Memory Corruption"; content: "SID: 5993 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105993; sid: 6105993; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ImageMagick SGI Buffer Overflow"; content: "SID: 5994 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105994; sid: 6105994; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eGatherer RunEgatherer Buffer Overflow"; content: "SID: 5997 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105997; sid: 6105997; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SYS.KUPW-WORKER Package MAIN Procedure SQL Injection Attempt"; content: "SID: 5998 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6105998; sid: 6105998; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Server Reports Command Execution"; content: "SID: 6000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106000; sid: 6106000; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMP Community String Private"; content: "SID: 6003 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106003; sid: 6106003; rev: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] IOS HTTP Server Iframe Command Injection"; content: "SID: 6004 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106004; sid: 6106004; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Unencrypted SSL Traffic"; content: "SID: 6005 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106005; sid: 6106005; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Management Console Cross-Site Scripting"; content: "SID: 6007 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106007; sid: 6106007; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] First 4 Internet XCP Uninstallation ActiveX Control"; content: "SID: 6008 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106008; sid: 6106008; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SYN Flood DOS"; content: "SID: 6009 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106009; sid: 6106009; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer FTP Command Injection"; content: "SID: 6011 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106011; sid: 6106011; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EIQ License Buffer Overflow"; content: "SID: 6012 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106012; sid: 6106012; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] IRCBOT_JK DNS Lookup"; content: "SID: 6013 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106013; sid: 6106013; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash Player Improper Memory Access"; content: "SID: 6014 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106014; sid: 6106014; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash ActionDefineFunction Improper Memory Access"; content: "SID: 6015 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106015; sid: 6106015; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIM BlackBerry Enterprise Router DoS"; content: "SID: 6016 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106016; sid: 6106016; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution"; content: "SID: 6017 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106017; sid: 6106017; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] QuickTime PictureViewer Buffer Overflow"; content: "SID: 6020 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106020; sid: 6106020; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebSphere J_Username Buffer Overflow"; content: "SID: 6022 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106022; sid: 6106022; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE JavaScript window() DoS"; content: "SID: 6023 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106023; sid: 6106023; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript Information Disclosure"; content: "SID: 6024 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106024; sid: 6106024; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Jet DB Engine Buffer Overflow"; content: "SID: 6025 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106025; sid: 6106025; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid Gopher Protocol Handling Buffer Overflow"; content: "SID: 6026 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106026; sid: 6106026; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Word Malformed Object Tag"; content: "SID: 6027 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106027; sid: 6106027; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Message Queuing Service Code Execution"; content: "SID: 6030 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106030; sid: 6106030; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mcafee FreeScan Information Disclosure"; content: "SID: 6031 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106031; sid: 6106031; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DOMNodeRemoved Mutation Memory Corruption"; content: "SID: 6039 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106039; sid: 6106039; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Scan Engine Authentication Bypass"; content: "SID: 6040 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106040; sid: 6106040; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox CSS Letter-Spacing Heap Overflow"; content: "SID: 6041 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106041; sid: 6106041; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] MHTTP Response Splitting"; content: "SID: 6045 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106045; sid: 6106045; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] InterNetNews NULL Path Denial of Service"; content: "SID: 6046 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106046; sid: 6106046; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TrendMicro InterScan Viruswall Directory Traversal"; content: "SID: 6047 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106047; sid: 6106047; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server SQL SYS.KUPV Injection"; content: "SID: 6048 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106048; sid: 6106048; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server Login Access Control Bypass Exploit"; content: "SID: 6049 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106049; sid: 6106049; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS HINFO Request"; content: "SID: 6050 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106050; sid: 6106050; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Zone Transfer"; content: "SID: 6051 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106051; sid: 6106051; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Zone Transfer from High Port"; content: "SID: 6052 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106052; sid: 6106052; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Request for All Records"; content: "SID: 6053 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106053; sid: 6106053; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Version Request"; content: "SID: 6054 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106054; sid: 6106054; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Inverse Query Buffer Overflow"; content: "SID: 6055 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106055; sid: 6106055; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS NXT Buffer Overflow"; content: "SID: 6056 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106056; sid: 6106056; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS SIG Buffer Overflow"; content: "SID: 6057 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106057; sid: 6106057; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS SRV DoS"; content: "SID: 6058 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106058; sid: 6106058; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS TSIG Overflow"; content: "SID: 6059 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106059; sid: 6106059; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Complain Overflow"; content: "SID: 6060 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106060; sid: 6106060; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Infoleak"; content: "SID: 6061 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106061; sid: 6106061; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Authors Request"; content: "SID: 6062 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106062; sid: 6106062; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Incremental Zone Transfer"; content: "SID: 6063 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106063; sid: 6106063; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] BIND Large OPT Record DoS"; content: "SID: 6064 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106064; sid: 6106064; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Query Name Loop DoS"; content: "SID: 6065 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106065; sid: 6106065; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS Tunneling"; content: "SID: 6066 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106066; sid: 6106066; rev: 4;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] DNS TSIG Bugtraq Overflow"; content: "SID: 6067 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106067; sid: 6106067; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Wireless Control System Administrative Default Password"; content: "SID: 6068 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106068; sid: 6106068; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Format Remote Code Execution"; content: "SID: 6069 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106069; sid: 6106069; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Media Format Remote Code Execution"; content: "SID: 6070 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106070; sid: 6106070; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database Server XDB.DBMS_XMLSCHEMA Buffer Overflow"; content: "SID: 6071 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106071; sid: 6106071; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Basic VBP Buffer Overflow"; content: "SID: 6072 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106072; sid: 6106072; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Studio Crystal Reports RPT File Code Execution"; content: "SID: 6073 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106073; sid: 6106073; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectX RLE Compressed TGA Overflow"; content: "SID: 6074 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106074; sid: 6106074; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla SOAPParameter Integer Overflow"; content: "SID: 6075 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106075; sid: 6106075; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] ISC BIND DNS resolver buffer overflow"; content: "SID: 6076 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106076; sid: 6106076; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Malformed GIF File"; content: "SID: 6077 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106077; sid: 6106077; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access XSS"; content: "SID: 6078 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106078; sid: 6106078; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ACDSee Products XPM Vulnerability"; content: "SID: 6079 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106079; sid: 6106079; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Products PNG Parsing"; content: "SID: 6080 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106080; sid: 6106080; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel BIFF Parsing"; content: "SID: 6081 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106081; sid: 6106081; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Column Record Handling"; content: "SID: 6082 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106082; sid: 6106082; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel SetFont"; content: "SID: 6083 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106083; sid: 6106083; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE 7 HTML Object Memory Corruption"; content: "SID: 6084 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106084; sid: 6106084; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Table Column Record Handling"; content: "SID: 6085 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106085; sid: 6106085; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Graphics Rendering Engine Buffer Overflow"; content: "SID: 6086 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106086; sid: 6106086; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec ISAKMP DoS"; content: "SID: 6087 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106087; sid: 6106087; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Compressed Folders Buffer Overflow"; content: "SID: 6088 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106088; sid: 6106088; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PHP memory_limit Vulnerability"; content: "SID: 6089 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106089; sid: 6106089; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Libpng Chunk Length Buffer Overflow"; content: "SID: 6090 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106090; sid: 6106090; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Acrobat Reader File Extension Buffer Overflow"; content: "SID: 6091 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106091; sid: 6106091; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Qt BMP Buffer Overflow"; content: "SID: 6092 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106092; sid: 6106092; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nullsoft Winamp M3U Remote Buffer Overflow"; content: "SID: 6094 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106094; sid: 6106094; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache apr-util IPv6 URI Parsing Vulnerability"; content: "SID: 6095 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106095; sid: 6106095; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port Registration"; content: "SID: 6100 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106100; sid: 6106100; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port Unregistration"; content: "SID: 6101 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106101; sid: 6106101; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Dump"; content: "SID: 6102 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106102; sid: 6106102; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Proxied RPC Request"; content: "SID: 6103 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106103; sid: 6106103; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port Reg Spoof"; content: "SID: 6104 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106104; sid: 6106104; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC Port UnReg Spoof"; content: "SID: 6105 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106105; sid: 6106105; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS EAP-TLS Authentication Bypass"; content: "SID: 6106 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106106; sid: 6106106; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVS File Existence Information Disclosure"; content: "SID: 6107 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106107; sid: 6106107; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FreeRADIUS Denial of Service"; content: "SID: 6108 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106108; sid: 6106108; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RSTATD Sweep"; content: "SID: 6110 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106110; sid: 6106110; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RUSESRD Sweep"; content: "SID: 6111 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106111; sid: 6106111; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC NFS Sweep"; content: "SID: 6112 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106112; sid: 6106112; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC MOUNTD Sweep"; content: "SID: 6113 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106113; sid: 6106113; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC YPASSWDD Sweep"; content: "SID: 6114 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106114; sid: 6106114; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC SELECTION SVC Sweep"; content: "SID: 6115 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106115; sid: 6106115; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC REXD Sweep"; content: "SID: 6116 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106116; sid: 6106116; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC STATUS Sweep"; content: "SID: 6117 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106117; sid: 6106117; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC TTDB Sweep"; content: "SID: 6118 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106118; sid: 6106118; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Authentication Vulnerability"; content: "SID: 6119 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106119; sid: 6106119; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RSTATD Request"; content: "SID: 6120 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106120; sid: 6106120; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC RUSESRD Request"; content: "SID: 6121 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106121; sid: 6106121; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC NFS Request"; content: "SID: 6122 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106122; sid: 6106122; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC MOUNTD Request"; content: "SID: 6123 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106123; sid: 6106123; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC YPASSWDD Request"; content: "SID: 6124 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106124; sid: 6106124; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC SELECTION SVC Request"; content: "SID: 6125 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106125; sid: 6106125; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC REXD Request"; content: "SID: 6126 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106126; sid: 6106126; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC STATUS Request"; content: "SID: 6127 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106127; sid: 6106127; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC TTDB Request"; content: "SID: 6128 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106128; sid: 6106128; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Message Queuing Overflow"; content: "SID: 6130 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106130; sid: 6106130; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Plug and Play Overflow"; content: "SID: 6131 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106131; sid: 6106131; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mod SSL- Mod Proxy Hook Format String"; content: "SID: 6132 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106132; sid: 6106132; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Cell Length Buffer Overflow CVE-2004-0846"; content: "SID: 6133 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106133; sid: 6106133; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft ASP.NET Canonicalization"; content: "SID: 6134 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106134; sid: 6106134; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Solaris in.rwhod Buffer Overflow"; content: "SID: 6135 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106135; sid: 6106135; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wordpad Default Font Overflow"; content: "SID: 6137 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106137; sid: 6106137; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-ASCII Hostname"; content: "SID: 6138 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106138; sid: 6106138; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malicious BMP File"; content: "SID: 6139 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106139; sid: 6106139; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid ASN.1 Header Parsing Denial of Service"; content: "SID: 6140 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106140; sid: 6106140; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia JRun 4.x Server File Disclosure"; content: "SID: 6141 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106141; sid: 6106141; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Apache HTTP Server Mod_Cache Module DoS"; content: "SID: 6142 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106142; sid: 6106142; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Borland Interbase Database Service Create-Request Buffer Overflow"; content: "SID: 6143 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106143; sid: 6106143; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] X.Org X Font Server Buffer Overflow"; content: "SID: 6144 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106144; sid: 6106144; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro ServerProtect TMregChange Buffer Overflow"; content: "SID: 6145 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106145; sid: 6106145; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid WCCP Message Receive Buffer Overflow"; content: "SID: 6146 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106146; sid: 6106146; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer RealMedia Security Bypass"; content: "SID: 6147 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106147; sid: 6106147; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Off-by-one"; content: "SID: 6148 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106148; sid: 6106148; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Arbitrary Library Injection"; content: "SID: 6149 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106149; sid: 6106149; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypserv Portmap Request"; content: "SID: 6150 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106150; sid: 6106150; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypbind Portmap Request"; content: "SID: 6151 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106151; sid: 6106151; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] yppasswdd Portmap Request"; content: "SID: 6152 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106152; sid: 6106152; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypupdated Portmap Request"; content: "SID: 6153 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106153; sid: 6106153; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ypxfrd Portmap Request"; content: "SID: 6154 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106154; sid: 6106154; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] mountd Portmap Request"; content: "SID: 6155 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106155; sid: 6106155; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT Kerberos kadmind RPC Library Unix Authentication"; content: "SID: 6156 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106156; sid: 6106156; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT Kerberos Kadmind Remote Code Injection"; content: "SID: 6157 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106157; sid: 6106157; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MIT Kerberos Kadmind Rename Buffer Overflow"; content: "SID: 6158 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106158; sid: 6106158; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Request DoS"; content: "SID: 6159 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106159; sid: 6106159; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Active Directory Crafted LDAP Buffer Overflow"; content: "SID: 6160 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106160; sid: 6106160; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ingres Database Communications Server Component Buffer Overflow"; content: "SID: 6161 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106161; sid: 6106161; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ipswitch IMail Server Date String Overflow"; content: "SID: 6162 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106162; sid: 6106162; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Document Parsing Buffer Overflow"; content: "SID: 6164 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106164; sid: 6106164; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] nfs-utils TCP Connection Termination Denial of Service"; content: "SID: 6165 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106165; sid: 6106165; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Novell eDirectory HTTP Server Redirection Buffer Overflow"; content: "SID: 6166 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106166; sid: 6106166; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates Products Message Engine RPC Server Buffer Overflow"; content: "SID: 6168 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106168; sid: 6106168; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] mod_tcl Module Format String Vulnerability"; content: "SID: 6169 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106169; sid: 6106169; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function Overflow"; content: "SID: 6170 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106170; sid: 6106170; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Info Center HPInfoDLL.dll ActiveX Control Remote Code Execution"; content: "SID: 6171 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106171; sid: 6106171; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell eDirectory evtFilteredMonitorEventsRequest Function"; content: "SID: 6172 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106172; sid: 6106172; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $DNS_PORT (msg: "[CISCO-SDEE] Empty DNS Query"; content: "SID: 6173 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106173; sid: 6106173; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenLDAP Server BIND Request Denial of Service"; content: "SID: 6174 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106174; sid: 6106174; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rexd Portmap Request"; content: "SID: 6175 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106175; sid: 6106175; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed SIP Invite Packet"; content: "SID: 6177 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106177; sid: 6106177; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Message DoS"; content: "SID: 6178 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106178; sid: 6106178; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed MGCP Packet"; content: "SID: 6179 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106179; sid: 6106179; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rexd Attempt"; content: "SID: 6180 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106180; sid: 6106180; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP DoS"; content: "SID: 6181 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106181; sid: 6106181; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Large SIP Message"; content: "SID: 6184 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106184; sid: 6106184; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RIS Data Collector Heap Overflow"; content: "SID: 6186 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106186; sid: 6106186; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CallManager TCP Connection DoS"; content: "SID: 6187 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106187; sid: 6106187; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] statd dot dot"; content: "SID: 6188 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106188; sid: 6106188; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] statd automount attack"; content: "SID: 6189 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106189; sid: 6106189; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] statd Buffer Overflow"; content: "SID: 6190 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106190; sid: 6106190; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC.tooltalk Buffer Overflow"; content: "SID: 6191 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106191; sid: 6106191; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC mountd Buffer Overflow"; content: "SID: 6192 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106192; sid: 6106192; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RPC CMSD Buffer Overflow"; content: "SID: 6193 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106193; sid: 6106193; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] sadmind Buffer Overflow"; content: "SID: 6194 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106194; sid: 6106194; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sadmind RPC Buffer Overflow"; content: "SID: 6195 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106195; sid: 6106195; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] snmpXdmid Buffer Overflow"; content: "SID: 6196 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106196; sid: 6106196; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] rpc yppaswdd overflow"; content: "SID: 6197 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106197; sid: 6106197; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long rwalld Message"; content: "SID: 6198 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106198; sid: 6106198; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cachefsd Overflow"; content: "SID: 6199 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106199; sid: 6106199; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ident Buffer Overflow"; content: "SID: 6200 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106200; sid: 6106200; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Ident Newline"; content: "SID: 6201 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106201; sid: 6106201; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] sadmind directory traversal command exec"; content: "SID: 6203 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106203; sid: 6106203; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IIS Source Code Disclosure"; content: "SID: 6204 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106204; sid: 6106204; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Vmd Buffer Overflow"; content: "SID: 6205 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106205; sid: 6106205; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WorldMail IMAP Directory Traversal"; content: "SID: 6206 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106206; sid: 6106206; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FreeBSD nfsd Request Denial of Service"; content: "SID: 6207 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106207; sid: 6106207; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Volume Manager Buffer Overflow"; content: "SID: 6208 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106208; sid: 6106208; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] NetBackup Vnetd Buffer Overflow"; content: "SID: 6209 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106209; sid: 6106209; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LPR Format String Overflow"; content: "SID: 6210 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106210; sid: 6106210; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LPD NoOp Sled"; content: "SID: 6211 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106211; sid: 6106211; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HTML Tag Memory Corruption"; content: "SID: 6212 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106212; sid: 6106212; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Firefox JavaScript Focus Buffer Overflow"; content: "SID: 6213 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106213; sid: 6106213; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LibTIFF TIFFFetchData Integer Overflow"; content: "SID: 6214 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106214; sid: 6106214; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell Print Services Integer Overflow"; content: "SID: 6215 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106215; sid: 6106215; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] EMC Retrospect Client Buffer Overflow"; content: "SID: 6216 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106216; sid: 6106216; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] eDirectory iMonitor NDS Server Buffer Overflow"; content: "SID: 6217 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106217; sid: 6106217; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MediaWiki Script Insertion"; content: "SID: 6218 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106218; sid: 6106218; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CommuniGate Pro LDAP Server Buffer Overflow"; content: "SID: 6219 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106219; sid: 6106219; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Retrospect Backup Agent Denial of Service"; content: "SID: 6220 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106220; sid: 6106220; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Director Agent DoS"; content: "SID: 6221 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106221; sid: 6106221; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OpenView Client Configuration Manager Radia Notify Daemon Code Execution"; content: "SID: 6222 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106222; sid: 6106222; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix MetaFrame IMA Authentication Processing Buffer Overflow"; content: "SID: 6223 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106223; sid: 6106223; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows IGMP Overflow"; content: "SID: 6224 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106224; sid: 6106224; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] KAME IKE raccoon HASH"; content: "SID: 6225 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106225; sid: 6106225; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trojan.Srizbi Bot"; content: "SID: 6226 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106226; sid: 6106226; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Basic Charts Control Memory Corruption"; content: "SID: 6227 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106227; sid: 6106227; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mac OSX Software Update Remote Code Execution"; content: "SID: 6228 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106228; sid: 6106228; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS SQL Server sqldmo.dll Overflow"; content: "SID: 6229 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106229; sid: 6106229; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] F-Secure Products Web Console Buffer Overflow"; content: "SID: 6230 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106230; sid: 6106230; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Presentation Server IMA"; content: "SID: 6231 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106231; sid: 6106231; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Distributed Transaction Coordinator Overflow"; content: "SID: 6232 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106232; sid: 6106232; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Tape Engine Service"; content: "SID: 6233 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106233; sid: 6106233; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VideoLAN VLC Subtitle Overflow"; content: "SID: 6234 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106234; sid: 6106234; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Quicktime SMIL Overflow"; content: "SID: 6235 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106235; sid: 6106235; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] AMI Pro File Buffer Overflow"; content: "SID: 6236 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106236; sid: 6106236; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MailEnable IMAP Service Login Overflow"; content: "SID: 6237 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106237; sid: 6106237; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GNU RADIUS SQL Accounting Format String Vulnerability"; content: "SID: 6238 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106238; sid: 6106238; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple QuickTime RTSP Long URL"; content: "SID: 6239 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106239; sid: 6106239; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP LOGIN Negative Value"; content: "SID: 6240 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106240; sid: 6106240; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro ServerProtect eng50.dll Stack Overflow"; content: "SID: 6242 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106242; sid: 6106242; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun JRE Abstract Windowing Toolkit Module Memory Corruption"; content: "SID: 6243 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106243; sid: 6106243; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] Microsoft Windows SNMP Service Memory Corruption"; content: "SID: 6244 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106244; sid: 6106244; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Tivoli Storage Manager Initial Sign-on Request Buffer Overflow"; content: "SID: 6245 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106245; sid: 6106245; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Gateway Weblaunch Activex Control"; content: "SID: 6246 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106246; sid: 6106246; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Microsystems Java GIF File Handling Memory Corruption"; content: "SID: 6247 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106247; sid: 6106247; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Mercury Loadrunner Agent Command Processing Buffer Overflow"; content: "SID: 6248 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106248; sid: 6106248; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Studio 6 ActiveX Exploit"; content: "SID: 6249 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106249; sid: 6106249; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] FTP Authorization Failure"; content: "SID: 6250 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106250; sid: 6106250; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[CISCO-SDEE] Telnet Authorization Failure"; content: "SID: 6251 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106251; sid: 6106251; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rlogin Authorization Failure"; content: "SID: 6252 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106252; sid: 6106252; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] POP3 Authorization Failure"; content: "SID: 6253 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106253; sid: 6106253; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SMB Authorization Failure"; content: "SID: 6255 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106255; sid: 6106255; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] HTTP Authorization Failure"; content: "SID: 6256 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106256; sid: 6106256; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DHCP Client DoS"; content: "SID: 6257 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106257; sid: 6106257; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE HTML Rendering Memory Corruption"; content: "SID: 6258 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106258; sid: 6106258; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Linux Printing And Imaging hpssd Command Injection"; content: "SID: 6259 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106259; sid: 6106259; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VERITAS Storage Foundation Administrator Buffer Overflow"; content: "SID: 6260 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106260; sid: 6106260; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ISC DHCP Remote DoS"; content: "SID: 6261 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106261; sid: 6106261; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure Access Control Server CGI Buffer Overflow"; content: "SID: 6262 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106262; sid: 6106262; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] XSS in Cisco ACS Server"; content: "SID: 6263 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106263; sid: 6106263; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Malformed Header"; content: "SID: 6264 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106264; sid: 6106264; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Jet Database Engine Buffer Overflow"; content: "SID: 6265 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106265; sid: 6106265; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Excel Malformed Header"; content: "SID: 6266 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106266; sid: 6106266; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP Long FETCH Command"; content: "SID: 6267 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106267; sid: 6106267; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview Network Node Manager Buffer Overflow"; content: "SID: 6268 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106268; sid: 6106268; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP Openview Operations Buffer Overflow"; content: "SID: 6269 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106269; sid: 6106269; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OpenView Network Node Manager Integer Overflow"; content: "SID: 6270 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106270; sid: 6106270; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VMWare ActiveX Arbitrary File Access"; content: "SID: 6271 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106271; sid: 6106271; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell iPrint Client ActiveX Buffer Overflow"; content: "SID: 6272 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106272; sid: 6106272; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works ActiveX WkImgSrv.dll Insecure Function"; content: "SID: 6273 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106273; sid: 6106273; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee ePolicy Orchestrator Format String"; content: "SID: 6274 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106274; sid: 6106274; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SGI fam Attempt"; content: "SID: 6275 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106275; sid: 6106275; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TooltalkDB overflow"; content: "SID: 6276 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106276; sid: 6106276; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Show Mount Recon"; content: "SID: 6277 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106277; sid: 6106277; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Web Components DataSource Vulnerability"; content: "SID: 6278 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106278; sid: 6106278; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Presentation Server Client ActiveX Overflow"; content: "SID: 6279 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106279; sid: 6106279; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Messenger Information Disclosure Vulnerability"; content: "SID: 6280 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106280; sid: 6106280; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed EPS Filter Vulnerability"; content: "SID: 6281 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106281; sid: 6106281; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed PICT Filter Vulnerability"; content: "SID: 6282 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106282; sid: 6106282; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed BMP Filter Vulnerability"; content: "SID: 6283 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106283; sid: 6106283; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Openwsman HTTP Basic Authentication Buffer Overflow"; content: "SID: 6284 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106284; sid: 6106284; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] LANDesk Intel QIP Service Heal Packet Buffer Overflow"; content: "SID: 6295 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106295; sid: 6106295; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Lotus Sametime Server Multiplexer Stack Buffer Overflow"; content: "SID: 6296 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106296; sid: 6106296; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer ActiveX Import Method Buffer Overflow"; content: "SID: 6297 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106297; sid: 6106297; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Creative Software AutoUpdate Engine ActiveX Stack-Overflow"; content: "SID: 6298 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106298; sid: 6106298; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Namo ActiveSquare6 ActiveX Vulnerability"; content: "SID: 6299 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106299; sid: 6106299; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Loki ICMP Tunneling"; content: "SID: 6300 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106300; sid: 6106300; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] General Loki ICMP Tunneling"; content: "SID: 6302 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106302; sid: 6106302; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PingTunnel ICMP Tunneling"; content: "SID: 6303 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106303; sid: 6106303; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS-SQL Query Abuse"; content: "SID: 6350 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106350; sid: 6106350; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba SPOOLSS Notify Options Heap overflow"; content: "SID: 6402 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106402; sid: 6106402; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Uninitialized Memory Corruption"; content: "SID: 6403 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106403; sid: 6106403; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow WAV Parsing Remote Code Execution"; content: "SID: 6406 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106406; sid: 6106406; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE DHTML Memory Corruption"; content: "SID: 6408 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106408; sid: 6106408; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Invalid Object Memory Corruption"; content: "SID: 6409 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106409; sid: 6106409; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Unsafe Memory Operation"; content: "SID: 6410 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106410; sid: 6106410; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed BGP Message"; content: "SID: 6412 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106412; sid: 6106412; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] McAfee Subscription Manager ActiveX Stack Buffer Overflow"; content: "SID: 6413 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106413; sid: 6106413; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ClamAV UPX File Handling Heap Overflow"; content: "SID: 6414 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106414; sid: 6106414; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Help HLP File Processing Memory Corruption"; content: "SID: 6416 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106416; sid: 6106416; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] JavaScript Navigator Object Memory Corruption"; content: "SID: 6417 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106417; sid: 6106417; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Apache HTTP Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow"; content: "SID: 6418 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106418; sid: 6106418; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Database dbms_assert Filter Bypass Vulnerability"; content: "SID: 6419 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106419; sid: 6106419; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Malformed GIF File Processing Code Execution"; content: "SID: 6420 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106420; sid: 6106420; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Malformed SELECTION Record Code Execution"; content: "SID: 6421 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106421; sid: 6106421; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft ASP.NET Application Folder Information Disclosure"; content: "SID: 6422 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106422; sid: 6106422; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft XML Core Services Integer Overflow"; content: "SID: 6423 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106423; sid: 6106423; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint PPT File Parsing Memory Corruption"; content: "SID: 6424 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106424; sid: 6106424; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Malformed OBJECT Record Code Execution"; content: "SID: 6425 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106425; sid: 6106425; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word mso.dll LsCreateLine Memory Corruption"; content: "SID: 6426 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106426; sid: 6106426; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] zlib Denial of Service"; content: "SID: 6427 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106427; sid: 6106427; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CSS Memory Corruption"; content: "SID: 6430 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106430; sid: 6106430; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Web Cache Heap Overflow"; content: "SID: 6431 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106431; sid: 6106431; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Subversion svn Protocol String Parsing Vulnerability"; content: "SID: 6432 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106432; sid: 6106432; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Norton Internet Security NBNS Stack Overflow"; content: "SID: 6433 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106433; sid: 6106433; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Citrix Program Neighborhood Agent Buffer Overflow"; content: "SID: 6436 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106436; sid: 6106436; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealNetworks RealPlayer Compressed Skin Buffer Overflow"; content: "SID: 6437 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106437; sid: 6106437; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMail IMAP Fetch Buffer Overflow"; content: "SID: 6443 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106443; sid: 6106443; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] iGateway Content-Length Buffer Overflow"; content: "SID: 6444 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106444; sid: 6106444; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SUSE Remote Manager Heap Overflow"; content: "SID: 6445 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106445; sid: 6106445; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Acrobat Reader eBook plug-in Format String Vulnerability"; content: "SID: 6446 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106446; sid: 6106446; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apache Tomcat Mod_jk Stack Overflow"; content: "SID: 6449 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106449; sid: 6106449; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] pcAnywhere Buffer Overflow"; content: "SID: 6450 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106450; sid: 6106450; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MediaWiki Language Option PHP Code Execution"; content: "SID: 6451 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106451; sid: 6106451; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Buffer Overflow"; content: "SID: 6454 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106454; sid: 6106454; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Flash Media Server DoS"; content: "SID: 6456 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106456; sid: 6106456; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lotus Notes URI Handler Argument Injection"; content: "SID: 6457 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106457; sid: 6106457; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Media Player File Information Disclosure"; content: "SID: 6458 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106458; sid: 6106458; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Winhlp32 Compressed Phrase Integer Overflow"; content: "SID: 6459 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106459; sid: 6106459; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer CDF Cross Domain Scripting"; content: "SID: 6462 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106462; sid: 6106462; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Squid WCCP Message Parsing Denial of Service"; content: "SID: 6466 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106466; sid: 6106466; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla Firefox Click Event Classification Vulnerability"; content: "SID: 6467 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106467; sid: 6106467; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Vendor AV Gateway Virus Detection Bypass"; content: "SID: 6468 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106468; sid: 6106468; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple Web Browsers Window Injection."; content: "SID: 6477 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106477; sid: 6106477; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Novell iManager Tomcat HTTP POST Request Handling Denial of Service"; content: "SID: 6486 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106486; sid: 6106486; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TikiWiki jhot.php Script File Upload Security Bypass"; content: "SID: 6487 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106487; sid: 6106487; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup Command Chaining"; content: "SID: 6488 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106488; sid: 6106488; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas NetBackup CONNECT_OPTIONS Buffer Overflow"; content: "SID: 6489 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106489; sid: 6106489; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Alt-N MDAEMON IMAP Server Heap Overflow"; content: "SID: 6491 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106491; sid: 6106491; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Graphics Rendering Engine Buffer Overflow Vulnerability"; content: "SID: 6493 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106493; sid: 6106493; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IMAP APPEND Date Buffer Overflow"; content: "SID: 6494 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106494; sid: 6106494; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer URL Spoofing Vulnerability Details"; content: "SID: 6496 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106496; sid: 6106496; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RingZero Trojan"; content: "SID: 6500 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106500; sid: 6106500; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tribe Flood Net Client Request"; content: "SID: 6501 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106501; sid: 6106501; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Tribe Flood Net Server Reply"; content: "SID: 6502 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106502; sid: 6106502; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Stacheldraht Client Request"; content: "SID: 6503 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106503; sid: 6106503; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Stacheldraht Server Reply"; content: "SID: 6504 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106504; sid: 6106504; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo Client Request"; content: "SID: 6505 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106505; sid: 6106505; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trinoo Server Reply"; content: "SID: 6506 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106506; sid: 6106506; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFN2K Control Traffic"; content: "SID: 6507 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106507; sid: 6106507; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mstream Control Traffic"; content: "SID: 6508 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106508; sid: 6106508; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft DXmedia SDK6 ActiveX Control"; content: "SID: 6509 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106509; sid: 6106509; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GOM Player ActiveX Control Buffer Overflow"; content: "SID: 6510 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106510; sid: 6106510; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macrovision FlexNet isusweb.dll DownloadAndExecute Method"; content: "SID: 6512 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106512; sid: 6106512; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macrovision FlexNet DownloadManager Insecure Methods"; content: "SID: 6513 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106513; sid: 6106513; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Invalid SIP Response Code"; content: "SID: 6515 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106515; sid: 6106515; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed Via Header"; content: "SID: 6517 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106517; sid: 6106517; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Long Header Field"; content: "SID: 6518 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106518; sid: 6106518; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Long SIP Message"; content: "SID: 6520 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106520; sid: 6106520; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Call Manager Overflow"; content: "SID: 6521 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106521; sid: 6106521; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Failed HTTP Login HTTP 401"; content: "SID: 6522 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106522; sid: 6106522; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Non-Printable in SIP Header"; content: "SID: 6523 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106523; sid: 6106523; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo! Assistant yNotifier.dll ActiveX Control Code Execution"; content: "SID: 6524 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106524; sid: 6106524; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Lighttpd FastCGI Header Overrun"; content: "SID: 6526 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106526; sid: 6106526; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Publisher Invalid Memory Reference RCE"; content: "SID: 6527 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106527; sid: 6106527; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Application Server 10G EmChartBeam Remote Directory Traversal"; content: "SID: 6528 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106528; sid: 6106528; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SynCE Command Injection"; content: "SID: 6530 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106530; sid: 6106530; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Perdition IMAP Proxy str_vwrite Format String"; content: "SID: 6532 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106532; sid: 6106532; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Computer Associates BrightStor ARCserve Backup Discovery Service"; content: "SID: 6533 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106533; sid: 6106533; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Backup Exec ActiveX Control"; content: "SID: 6534 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106534; sid: 6106534; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Facebook Photo Uploader ActiveX Control"; content: "SID: 6535 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106535; sid: 6106535; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Aurigma ImageUploader ActiveX Control"; content: "SID: 6536 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106536; sid: 6106536; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Kraken Botnet Traffic"; content: "SID: 6537 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106537; sid: 6106537; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Malware Protection Engine DoS"; content: "SID: 6539 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106539; sid: 6106539; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM Certificate Trust List Memory Consumption DOS"; content: "SID: 6540 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106540; sid: 6106540; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Project Malformed File Exploit"; content: "SID: 6541 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106541; sid: 6106541; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TFTPServer Error Overflow"; content: "SID: 6542 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106542; sid: 6106542; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CiscoWorks Common Services Arbitrary Code Injection"; content: "SID: 6543 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106543; sid: 6106543; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] ActiveX Object Memory Corruption Vulnerability"; content: "SID: 6544 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106544; sid: 6106544; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WINS Local Privilege Escalation"; content: "SID: 6545 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106545; sid: 6106545; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-SDEE] SNMPv3 Malformed Authentication Attempt"; content: "SID: 6546 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106546; sid: 6106546; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server 7 TDS Denial Of Service"; content: "SID: 6702 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106702; sid: 6106702; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Snort SACK TCP Option Handling Denial of Service Details"; content: "SID: 6703 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106703; sid: 6106703; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Address Bar Spoofing Vulnerability"; content: "SID: 6704 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106704; sid: 6106704; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Internet Explorer Drag And Drop Vulnerability"; content: "SID: 6705 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106705; sid: 6106705; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows Remote Desktop Protocol DoS"; content: "SID: 6707 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106707; sid: 6106707; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Macromedia Flash Player LoadMovie DoS"; content: "SID: 6710 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106710; sid: 6106710; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Image Download Spoofing"; content: "SID: 6711 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106711; sid: 6106711; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Script Engine Stack Exhaustion"; content: "SID: 6712 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106712; sid: 6106712; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Status Bar URL Spoofing"; content: "SID: 6717 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106717; sid: 6106717; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Multiple AV Vendor Invalid Archive Checksum"; content: "SID: 6718 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106718; sid: 6106718; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL COM_TABLE_DUMP Function Stack Overflow"; content: "SID: 6719 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106719; sid: 6106719; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MySQL Login Handshake Information Disclosure"; content: "SID: 6720 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106720; sid: 6106720; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenBSD ISAKMP Message Handling Denial Of Service"; content: "SID: 6721 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106721; sid: 6106721; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Oracle Application Server 10g emagent.exe Stack Buffer Overflow"; content: "SID: 6722 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106722; sid: 6106722; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Sun Directory Server LDAP Denial of Service Details"; content: "SID: 6723 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106723; sid: 6106723; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Nullsoft Winamp Midi File Header Handling Buffer Overflow"; content: "SID: 6727 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106727; sid: 6106727; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows GUID Folder Code Execution"; content: "SID: 6728 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106728; sid: 6106728; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IBM Tivoli Storage Manager Express Buffer Overflow"; content: "SID: 6730 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106730; sid: 6106730; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Username Buffer Overflow"; content: "SID: 6731 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106731; sid: 6106731; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Password Buffer Overflow"; content: "SID: 6732 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106732; sid: 6106732; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCServe Backup LGServer Arbitrary File Upload"; content: "SID: 6733 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106733; sid: 6106733; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA ARCserve Backup LGServer Multiple Buffer Overflows"; content: "SID: 6734 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106734; sid: 6106734; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer HHCtrl.ocx Image Property Heap Corruption"; content: "SID: 6735 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106735; sid: 6106735; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple QuickTime FLIC Animation File Buffer Overflow Details"; content: "SID: 6736 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106736; sid: 6106736; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenSSL SSL_get_shared_ciphers Function Buffer Overflow"; content: "SID: 6737 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106737; sid: 6106737; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] Novell GroupWise Messenger HTTP POST Request Invalid Memory Access"; content: "SID: 6739 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106739; sid: 6106739; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Trend Micro OfficeScan Atxconsole ActiveX Control Format String"; content: "SID: 6740 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106740; sid: 6106740; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Discovery XFERWAN Buffer overflow"; content: "SID: 6741 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106741; sid: 6106741; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint Malformed Record Code Execution"; content: "SID: 6742 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106742; sid: 6106742; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Novell ZENworks Asset Mangement Overflow"; content: "SID: 6743 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106743; sid: 6106743; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Mozilla FireFox DomNodeRemoved Memory Corruption"; content: "SID: 6744 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106744; sid: 6106744; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Remote Kernel TCPIP ICMP Vulnerability"; content: "SID: 6755 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106755; sid: 6106755; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Internet Explorer Page Update Race Condition"; content: "SID: 6757 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106757; sid: 6106757; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visio Version Number Code Execution Vulnerability"; content: "SID: 6758 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106758; sid: 6106758; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Apple Safari Regular Expression Overflow"; content: "SID: 6759 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106759; sid: 6106759; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer ActiveX Buffer overflow"; content: "SID: 6760 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106760; sid: 6106760; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Unified Communications Manager CTL Provider Heap Overflow"; content: "SID: 6761 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106761; sid: 6106761; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco PIX and ASA Time-to-Live DoS"; content: "SID: 6764 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106764; sid: 6106764; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Application Velocity System Default Passwords"; content: "SID: 6765 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106765; sid: 6106765; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Security Zone Bypass and Address Spoofing"; content: "SID: 6766 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106766; sid: 6106766; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows RSH Daemon Stack Overflow"; content: "SID: 6767 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106767; sid: 6106767; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Samba WINS Remote Code Execution Vulnerability"; content: "SID: 6768 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106768; sid: 6106768; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Netware LSASS CIFS.NLM Driver Overflow"; content: "SID: 6769 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106769; sid: 6106769; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OpenOffice PRTDATA Heap Overflow"; content: "SID: 6770 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106770; sid: 6106770; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows WebDAV Mini Redirector"; content: "SID: 6771 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106771; sid: 6106771; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WordPerfect X3 Printer Selection Vulnerability"; content: "SID: 6773 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106773; sid: 6106773; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Works Converter Remote Code Execution"; content: "SID: 6775 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106775; sid: 6106775; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works Converter Input Validation Remote Code Execution"; content: "SID: 6776 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106776; sid: 6106776; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows OLE Automation Remote Code Execution"; content: "SID: 6777 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106777; sid: 6106777; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Works Converter Index Table Vulnerability"; content: "SID: 6778 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106778; sid: 6106778; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Argument Handling Memory Corruption Vulnerability"; content: "SID: 6780 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106780; sid: 6106780; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP Proxy Response Overflow"; content: "SID: 6781 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106781; sid: 6106781; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SIP MIME Request Boundary Overflow"; content: "SID: 6782 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106782; sid: 6106782; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe PDF Code Execution"; content: "SID: 6784 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106784; sid: 6106784; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Visual Basic VBP File Processing Buffer Overflow"; content: "SID: 6785 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106785; sid: 6106785; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint Memory Corruption Vulnerability"; content: "SID: 6786 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106786; sid: 6106786; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office Cell Parsing Memory Corruption Vulnerability"; content: "SID: 6787 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106787; sid: 6106787; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SonicWALL SSL VPN Client Remote ActiveX Vulnerability"; content: "SID: 6788 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106788; sid: 6106788; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Winamp Ultravox Stream Title Stack Overflow"; content: "SID: 6789 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106789; sid: 6106789; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Outlook Web Access Privilege Escalation"; content: "SID: 6790 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106790; sid: 6106790; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] SQL Memory Corruption Vulnerability"; content: "SID: 6792 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106792; sid: 6106792; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Windows GDI Image Handling"; content: "SID: 6793 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106793; sid: 6106793; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CA BrightStor ARCserve Backup Listservcntrl ActiveX Overflow"; content: "SID: 6794 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106794; sid: 6106794; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Panda ActiveScan ActiveX Overflow"; content: "SID: 6795 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106795; sid: 6106795; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP StorageWorks Buffer Overflow"; content: "SID: 6798 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106798; sid: 6106798; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM CTI DoS"; content: "SID: 6799 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106799; sid: 6106799; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood ICMP Reply"; content: "SID: 6901 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106901; sid: 6106901; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood ICMP Request"; content: "SID: 6902 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106902; sid: 6106902; rev: 3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood ICMP Any"; content: "SID: 6903 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106903; sid: 6106903; rev: 3;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood UDP"; content: "SID: 6910 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106910; sid: 6106910; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Net Flood TCP"; content: "SID: 6920 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106920; sid: 6106920; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Code Execution"; content: "SID: 6921 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106921; sid: 6106921; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] VBScript JScript Remote Code Execution"; content: "SID: 6922 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106922; sid: 6106922; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Memory Corruption Vulnerability"; content: "SID: 6923 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106923; sid: 6106923; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MS Publisher Remote Code Execution"; content: "SID: 6924 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106924; sid: 6106924; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Property Memory Corruption"; content: "SID: 6925 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106925; sid: 6106925; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco IOS DLSw DoS"; content: "SID: 6926 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106926; sid: 6106926; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Outlook mailto URI Remote Code Execution"; content: "SID: 6928 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106928; sid: 6106928; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Excel Memory Corruption"; content: "SID: 6929 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106929; sid: 6106929; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Office Web Components URL Parsing Vulnerability"; content: "SID: 6930 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106930; sid: 6106930; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Virtual-Access Interface Exhaustion DoS"; content: "SID: 6931 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106931; sid: 6106931; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HTML Objects Uninitialized Memory Corruption Vulnerability"; content: "SID: 6932 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106932; sid: 6106932; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI Buffer Overflow"; content: "SID: 6934 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106934; sid: 6106934; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CVE-2008-1086 ActiveX Killbit Update"; content: "SID: 6935 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106935; sid: 6106935; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] UCM Disaster Recovery Framework Command Execution"; content: "SID: 6936 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106936; sid: 6106936; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE File Handling Memory Corruption"; content: "SID: 6937 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106937; sid: 6106937; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE Argument Handling Memory Corruption Exploit"; content: "SID: 6938 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106938; sid: 6106938; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Project Remote Code Execution"; content: "SID: 6939 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106939; sid: 6106939; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] RealPlayer ActiveX Remote Code Execution"; content: "SID: 6940 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106940; sid: 6106940; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Yahoo ActiveX Buffer Overflow"; content: "SID: 6942 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106942; sid: 6106942; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUPS CGI Compile Search Overflow"; content: "SID: 6944 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106944; sid: 6106944; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] HP OpenView OVAS.EXE Stack Overflow"; content: "SID: 6945 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106945; sid: 6106945; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Web Client Remote Code Execution Vulnerability"; content: "SID: 6946 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106946; sid: 6106946; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Drawing Object Vulnerability"; content: "SID: 6951 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106951; sid: 6106951; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Word Cascading Style Sheet (CSS) Vulnerability"; content: "SID: 6952 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106952; sid: 6106952; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] CUCM SIP Stack DoS"; content: "SID: 6954 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106954; sid: 6106954; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Adobe Flash Null Pointer Dereference"; content: "SID: 6959 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106959; sid: 6106959; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE Response Cross-Domain Info Disclosure"; content: "SID: 6960 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106960; sid: 6106960; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IE HTML Objects Memory Corruption"; content: "SID: 6961 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106961; sid: 6106961; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Unity DOS"; content: "SID: 6962 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106962; sid: 6106962; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] MJPEG Decoder Vulnerability"; content: "SID: 6963 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106963; sid: 6106963; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Asprox Injection Attempt"; content: "SID: 6964 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106964; sid: 6106964; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Malformed Search File Code Execution"; content: "SID: 6966 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106966; sid: 6106966; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft SQL Server Privilege Elevation"; content: "SID: 6967 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106967; sid: 6106967; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Access Snapshot Viewer ActiveX Remote Code Execution"; content: "SID: 6968 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106968; sid: 6106968; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Word Smart Tag Corruption Exploit"; content: "SID: 6969 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106969; sid: 6106969; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] DirectShow SAMI Parsing Remote Code Execution"; content: "SID: 6970 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106970; sid: 6106970; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Generic Exploit Component"; content: "SID: 6971 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106971; sid: 6106971; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Rosoft Media Player Overflow"; content: "SID: 6972 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106972; sid: 6106972; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] IOS FTPd MKD Command Buffer Overflow"; content: "SID: 6973 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106973; sid: 6106973; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Motorola Timbuktu Pro Arbitrary File Deletion/Creation"; content: "SID: 6974 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106974; sid: 6106974; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Arbitrary File Upload In CA ARCserve"; content: "SID: 6975 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106975; sid: 6106975; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Powerpoint 2003 Viewer Buffer Overflow"; content: "SID: 6976 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106976; sid: 6106976; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Wonderware Suitlink Denial Of Service"; content: "SID: 6977 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106977; sid: 6106977; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] PowerPoint Parsing Overflow"; content: "SID: 6978 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106978; sid: 6106978; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] BEA WebLogic Server Apache Connector HTTP Version String BO"; content: "SID: 6979 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106979; sid: 6106979; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PowerPoint Memory Allocation Exploit"; content: "SID: 6981 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106981; sid: 6106981; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft PICT Filter Parsing Exploit"; content: "SID: 6983 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106983; sid: 6106983; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Windows Image Color Management System RCE"; content: "SID: 6984 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106984; sid: 6106984; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft Office WPG Image File Heap Corruption Exploit"; content: "SID: 6985 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106985; sid: 6106985; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft IE HTML Objects Memory Corruption Exploit"; content: "SID: 6986 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106986; sid: 6106986; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] WebEx Meeting Manager ActiveX Overflow"; content: "SID: 6988 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106988; sid: 6106988; rev: 3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[CISCO-SDEE] IOSFW HTTP Inspection Vulnerability"; content: "SID: 6989 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106989; sid: 6106989; rev: 4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Visual Studio Msmask32.ocx ActiveX Buffer Overflow"; content: "SID: 6990 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106990; sid: 6106990; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Symantec Veritas Storage Foundation Null Session"; content: "SID: 6991 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106991; sid: 6106991; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco Secure ACS EAP Overflow"; content: "SID: 6994 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106994; sid: 6106994; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI EMF Memory Corruption Vulnerability"; content: "SID: 6995 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106995; sid: 6106995; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] GDI+ BMP Integer Overflow"; content: "SID: 6996 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106996; sid: 6106996; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] OneNote Uniform Resource Locator Validation Error Vulnerability"; content: "SID: 6997 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106997; sid: 6106997; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Microsoft GDI-Plus WMF Buffer Overrun Exploit"; content: "SID: 6998 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106998; sid: 6106998; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Cisco PIM Multicast Denial of Service Attack"; content: "SID: 6999 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6106999; sid: 6106999; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] Data Base TNS Connection"; content: "SID: 7000 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107000; sid: 6107000; rev: 3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-SDEE] TNS Redirect Request"; content: "SID: 7001 ,"; parse_src_ip: 1; parse_dst_ip: 2; parse_port; program: qdee; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/6107001; sid: 6107001; rev: 3;) rules/cylance.rules0000664000175000017500000001574312612177151013663 0ustar champchamp# Sagan cylance.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Robert Nunley - 10142015 #successful-user #Event Type: AuditLog, Event Name: DeviceEdit, #Event Type: AuditLog, Event Name: LoginSuccess, alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Device Edit"; content: "Event Name|3a| DeviceEdit"; content: "AuditLog"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002567; parse_src_ip: 1; sid:5002567; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Login Success"; content: "Event Name|3a| LoginSuccess"; content: "AuditLog; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002568; parse_src_ip: 1; sid:5002568; rev:2;) #configuration-change #Event Type: AuditLog, Event Name: SyslogSettingsSave, #Event Type: AuditLog, Event Name: ZoneAddDevice, alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Syslog Settings Saved"; content: "Event Name|3a| SyslogSettingsSave"; content: "AuditLog; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5002569; parse_src_ip: 1; sid:5002569; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] AuditLog - Zone Add Device"; content: "Event Name|3a| ZoneAddDevice"; content: "AuditLog; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5002570; parse_src_ip: 1; sid:5002570; rev:2;) #system-event #Event Type: Device, Event Name: Devices #Event Type: Device, Event Name: Registration, ##Event Type: Device, Event Name: SystemSecurity, alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Device - Action Taken"; content: "Event Name|3a| Device"; content: "Device"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002571; parse_src_ip: 1; sid:5002571; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Device - Registration"; content: "Event Name|3a| Registration"; content: "Device"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002572; parse_src_ip: 1; sid:5002572; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Device - System Security"; content: "Event Name|3a| SystemSecurity"; content: "Device"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002573; parse_src_ip: 1; sid:5002573; rev:2;) #exploit-attempt #Event Type: ExploitAttempt, Event Name: blocked, #Event Type: ExploitAttempt, Event Name: none, alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] ExploitAttempt - Blocked"; content: "Event Name|3a| blocked"; content: "ExploitAttempt"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5002574; parse_src_ip: 1; sid:5002574; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] ExploitAttempt - No Action Taken"; content: "Event Name|3a| none"; content: "ExploitAttempt"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5002575; parse_src_ip: 1; sid:5002575; rev:2;) #misc-attack #Event Type: Threat, Event Name: threat_changed, #Event Type: Threat, Event Name: threat_found, #Event Type: Threat, Event Name: threat_quarantined, #Event Type: Threat, Event Name: threat_removed, alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Changed"; content: "threat_changed"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002576; parse_src_ip: 1; sid:5002576; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Found"; content: "threat_found"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002577; parse_src_ip: 1; sid:5002577; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Quarantined"; content: "threat_quarantined"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002578; parse_src_ip: 1; sid:5002578; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CYLANCE] Threat - Removed"; content: "threat_removed"; content: "Threat"; content: "CylancePROTECT"; threshold: type limit, count 1, seconds 300, track by_src; classtype: misc-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002579; parse_src_ip: 1; sid:5002579; rev:2;) rules/racoon.rules0000664000175000017500000000706712612177151013526 0ustar champchamp# Sagan racoon.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Informational message"; content: "INFO"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000269; sid: 5000269; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Error message"; content: "ERROR"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000270; sid: 5000270; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Warning message"; content: "WARNING"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000271; sid: 5000271; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - ISAKMP-SA - VPN established"; content: "ISAKMP-SA established"; classtype: successful-user ; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000272; sid: 5000272; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Roadwarrior configuration error [ignored error]"; content: "such policy does not already exist"; classtype: unsuccessful-user; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000273; sid: 5000273; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Roadwarrior configuration error [ignored warning]"; content: "ignore INITIAL-CONTACT notification"; classtype: unsuccessful-user; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000274; sid: 5000274; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[RACOON] - Invalid configuration settings [ignored error]"; content: "ERROR"; pcre: "/invalid attribute|rejected/i"; classtype: program-error; program: racoon; reference: url,wiki.quadrantsec.com/bin/view/Main/5000275; sid: 5000275; rev:1;) rules/citrix-bluedot.rules0000664000175000017500000000612012612177151015170 0ustar champchamp# Sagan citrix-bluedot.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from Bluedot listed IP (Champ Clark / 08/26/2015) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] Login from Bluedot listed IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; bluedot: reputation, by_src, $BLUEDOT_NETWORK; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002341; sid:5002341; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] AAA LOGIN_FAILED from Bluedot listed IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bluedot: reputation, by_src, $BLUEDOT_NETWORK; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002342; sid:5002342; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLUEDOT] SSLVPN HTTPREQUEST from Bluedot listed IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bluedot: reputation, by_src, $BLUEDOT_NETWORK; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002343; sid:5002343; rev:1;) rules/README0000664000175000017500000000264712612177151012050 0ustar champchampWelcome to the "Sagan Rules" README file ---------------------------------------- This is the Git repository for the Sagan engine rule sets. You probably won't find these useful unless you're actually using Sagan! For more information, check out the Sagan main web site at: http://sagan.quadrantsec.com Github related site: http://github.com/beave/sagan What is Sagan? -------------- Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Sourcefire "Snort" IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS databases via unified2/barnyard2, it is compatible with all Snort "consoles". For example, Sagan is compatible with Snorby [http://www.snorby.org], Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS framework! (to name a few). Sagan supports many different output formats, log normalization (via liblognorm), script execution on event and automatic firewall support via "Snortsam" (see http://www.snortsam.net). For more information, please visit the Sagan web site: http://sagan.quadrantsec.com. rules/bluedot-catagories.conf0000664000175000017500000000013412612177151015601 0ustar champchamp0 || Neutral 1 || Whitelisted 2 || Client 3 || Malicious 7 || Advisory 9 || Tor rules/cacti-thold.rules0000664000175000017500000000443512612177151014434 0ustar champchamp# Sagan cacti-thold.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CACTI] CPU went above threshold"; content: "CPU went above threshold"; classtype: system-event; program: CactiTholdLog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001076; sid: 5001076; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[CACTI] CPU restored to normal"; content: "CPU restored to normal"; classtype: system-event; program: CactiTholdLog; reference: url,wiki.quadrantsec.com/bin/view/Main/5001077; sid: 5001077; rev:1;) rules/snort-geoip.rules0000664000175000017500000000754512612177151014514 0ustar champchamp# Sagan snort-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # These detect where certain types of files are accessed from outside your HOME_COUNTRY. # They require that: # # 1. Snort logs to syslog: # output alert_syslog: LOG_AUTH LOG_ALERT # Example SNORT config # 2. Snort "file-identify.rules" rules are enabled # # Concept by Robert Nunley (rnunley@quadrantsec.com) - 02/21/2014 # THIS RULES ARE HIGHLY EXPERIMENTAL! alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Executable Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Exe"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001979; sid: 5001979; rev: 2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Java Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Java"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001980; sid: 5001980; rev: 2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Jar/Zip Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Jar"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001981; sid: 5001981; rev: 2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] PDF Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "PDF"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001982; sid: 5001982; rev: 2;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[FILE-GEOIP] Flash Downloaded from outside HOME_COUNTRY"; program: snort; country_code: track by_src, isnot $HOME_COUNTRY; content: "FILE-IDENTIFY"; content: "Flash"; classtype: bad-unknown; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001983; sid: 5001983; rev: 2;) rules/protocol.map0000664000175000017500000000060612612177151013521 0ustar champchamp message || 17 || nocase ||UDP message || 1 || nocase ||ICMP message || 6 || nocase ||TCP program || 17 || nocase || named program || 6 || nocase || ssh program || 6 || nocase || sshd program || 6 || nocase || rsync program || 17 || nocase || bind program || 6 || nocase || http program || 6 || nocase || httpd program || 6 || nocase || apache program || 6 || nocase || apache2 rules/snort.rules0000664000175000017500000003014212612177151013400 0ustar champchamp# Sagan snort.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Snort syslog message"; program: snort; content: "Classification"; content: "Priority"; classtype: suspicious-command; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000386; sid: 5000386; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Not Suspicious Traffic"; program: snort; content: "Classification|3a| Not Suspicious Traffic"; classtype: not-suspicious; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000976; sid: 5000976; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unknown Traffic"; program: snort; content: "Classification|3a| Unknown Traffic"; classtype: unknown; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000977; sid: 5000977; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Bad Traffic"; program: snort; content: "Classification|3a| Bad Traffic"; classtype: bad-unknown; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000978; sid: 5000978; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Information Leak"; program: snort; content: "Classification|3a| Attempted Information Leak"; classtype: attempted-recon; flowbits: set, recon, 86400; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000979; sid: 5000979; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Information Leak"; program: snort; content: "Classification|3a| Information Leak"; classtype: successful-recon-limited; flowbits: set, recon, 86400; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000980; sid: 5000980; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Large Scale Information Leak"; program: snort; content: "Classification|3a| Large Scale Information Leak"; classtype: successful-recon-largescale; flowbits: set, recon, 86400; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000981; sid: 5000981; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Denial of Service"; program: snort; content: "Classification|3a| Attempted Denial of Service"; classtype: attempted-dos; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000982; sid: 5000982; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Denial of Service"; program: snort; content: "Classification|3a| Denial of Service"; classtype: successful-dos; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000983; sid: 5000983; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted User Privilege Gain"; program: snort; content: "Classification|3a| Attempted User Privilege Gain"; classtype: attempted-user; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000984; sid: 5000984; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Unsuccessful User Privilege Gain"; program: snort; content: "Classification|3a| Unsuccessful User Privilege Gain"; classtype: unsuccessful-user; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000985; sid: 5000985; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful User Privilege Gain"; program: snort; content: "Classification|3a| Successful User Privilege Gain"; classtype: successful-user; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000986; sid: 5000986; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempted Administrator Privilege Gain"; program: snort; content: "Classification|3a| Attempted Administrator Privilege Gain"; classtype: attempted-admin; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000987; sid: 5000987; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Successful Administrator Privilege Gain"; program: snort; content: "Classification|3a| Successful Administrator Privilege Gain"; classtype: successful-admin; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000988; sid: 5000988; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Decode of an RPC Query"; program: snort; content: "Classification|3a| Decode of an RPC Query"; classtype: rpc-portmap-decode; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000989; sid: 5000989; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Executable code was detected"; program: snort; content: "Classification|3a| Executable code was detected"; classtype: shellcode-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000990; sid: 5000990; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious string was detected"; program: snort; content: "Classification|3a| A suspicious string was detected"; classtype: string-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000991; sid: 5000991; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A suspicious filename was detected"; program: snort; content: "Classification|3a| A suspicious filename was detected"; classtype: suspicious-filename-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000992; sid: 5000992; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] An attempted login using a suspicious username was detected"; program: snort; content: "Classification|3a| An attempted login using a suspicious username was detected"; classtype: suspicious-login; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000993; sid: 5000993; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A system call was detected"; program: snort; content: "Classification|3a| A system call was detected"; classtype: system-call-detect; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000995; sid: 5000995; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A TCP connection was detected"; program: snort; content: "Classification|3a| A TCP connection was detected"; classtype: tcp-connection; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000996; sid: 5000996; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A Network Trojan was detected"; program: snort; content: "Classification|3a| A Network Trojan was detected"; classtype: trojan-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000997; sid: 5000997; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] A client was using an unusual port"; program: snort; content: "Classification|3a| A client was using an unusual port"; classtype: unusual-client-port-connection; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000998; sid: 5000998; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Network Scan"; program: snort; content: "Classification: Detection of a Network Scan"; classtype: network-scan; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5000999; sid: 5000999; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a Denial of Service Attack"; program: snort; content: "Classification|3a| Detection of a Denial of Service Attack"; classtype: denial-of-service; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001000; sid: 5001000; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Detection of a non-standard protocol or event"; program: snort; content: "Classification|3a| Detection of a non-standard protocol or event"; classtype: non-standard-protocol; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001001; sid: 5001001; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic Protocol Command Decode"; program: snort; content: "Classification|3a| Generic Protocol Command Decode"; classtype: protocol-command-decode; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001002; sid: 5001002; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] access to a potentially vulnerable web application"; program: snort; content: "Classification|3a| access to a potentially vulnerable web application"; classtype: web-application-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001003; sid: 5001003; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Web Application Attack"; program: snort; content: "Classification|3a| Web Application Attack"; classtype: web-application-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001004; sid: 5001004; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc activity"; program: snort; content: "Classification|3a| Misc activity"; classtype: misc-activity; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001005; sid: 5001005; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Misc Attack"; program: snort; content: "Classification|3a| Misc Attack"; classtype: misc-attack; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001006; sid: 5001006; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Generic ICMP event"; program: snort; content: "Classification: Generic ICMP event"; classtype: icmp-event; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001007; sid: 5001007; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] SCORE! Get the lotion! [Porn]"; program: snort; content: "Classification|3a| SCORE! Get the lotion!"; classtype: kickass-porn; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001008; sid: 5001008; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Potential Corporate Privacy Violation"; program: snort; content: "Classification|3a| Potential Corporate Privacy Violation"; classtype: policy-violation; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001009; sid: 5001009; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SNORT] Attempt to login by a default username and password"; program: snort; content: "Classification|3a| Attempt to login by a default username and password"; classtype: default-login-attempt; normalize: snort; reference: url,wiki.quadrantsec.com/bin/view/Main/5001010; sid: 5001010; rev:3;) rules/openssh-correlated.rules0000664000175000017500000000750112612177151016037 0ustar champchamp# Sagan openssh-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Add by Champ Clark - 09/18/2015 # Login after previous recon flowbit is set. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via password after suspicious activity"; content: "Accepted password"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002353; normalize: openssh; program: sshd; sid:5002353; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via public key after suspicious activity"; content: "Accepted publickey"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002354; normalize: openssh; program: sshd; sid:5002354; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Authentication success via keyboard-interactive after suspicious activity"; content: "Accepted keyboard-interactive"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002355; normalize: openssh; program: sshd; sid:5002355; rev:2;) # Added by Champ Clark - 09/17/2014 - Required flowbit. Valid login _after_ brute force. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] SSH login success after brute force attack!"; pcre: "/accepted|authenticated/i"; flowbits: isset,by_src,brute_force; flowbits: set,attacker,86400; normalize: openssh; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002176; sid:5002177; rev:6;) # We could later use "attacker.generic" to "track" the attacker! alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-CORRELATED] Accepted publickey after brute force attack!"; content: "Accepted publickey" ; flowbits: isset,by_src,brute_force; flowbits: set,attacker,86400; normalize: openssh; classtype: correlated-attack; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002178; sid:5002178; rev:5;) rules/cisco-ios.rules0000664000175000017500000006307512612177151014136 0ustar champchamp# Sagan cisco-ios.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-IOS] SNMP Authentication Failure [0/5]"; content: "SNMP-3-AUTHFAIL"; classtype: attempted-recon; flowbits: set, recon, 86400; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000051; sid: 5000051; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-IOS] Attempted RSHELL connection"; content: "RCMD-4-RSHPORTATTEMPT"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000052; sid: 5000052; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINK-3-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000053; sid: 5000053; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINEPROTO-5-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000054; sid: 5000054; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I"; parse_src_ip: 1; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000055; sid: 5000055; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000111; sid:5000111; rev:4;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Successful login"; content: "SEC_LOGIN-5-LOGIN_SUCCESS"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000112; sid:5000112; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize: cisco; reference: url,wiki.quadrantsec.com/bin/view/Main/5001520; sid:5001520; rev:1;) drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; normalize: cisco; reference: url,wiki.quadrantsec.com/bin/view/Main/5000113; sid:5000113; rev:8;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating [0/2]"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000388; sid:5000388; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fans had a rotation error reported [0/2]"; content: "%FAN-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001198; sid:5001198; rev:3;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Power Controller reports power Imax error detected"; content: "%ILPOWER-3-CONTROLLER_PORT_ERR"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid:5001199; rev:1;) # Rules submitted by Sniffty Dugen (July 31, 2012) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported Hardware Module"; content: "C6KPWR-SP-4-UNSUPPORTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab; sid: 5001476; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet recieved to short"; content: "EARL_L3_ASIC-SP-4-INTR_THROTTLE: Throttling"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb; sid: 5001477; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet with probable bad checksum Dropped"; content: "EARL_L3_ASIC-SP-3-INTR_WARN"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL; sid: 5001478; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] NetFlow addressable memory almost full"; content: "EARL_NETFLOW-SP-4-TCAM_THRLD"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a; sid: 5001479; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS Keepalive Loop Detected"; content: "ETHCNTR-3-LOOP_BACK_DETECTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b; sid: 5001480; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Possible IOS System Crash"; content: "loadprog: error"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc; sid: 5001481; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Error in Layer 3 Forwarding ASIC [0/2]"; content: "L3_ASIC-DFC3-4-ERR_INTRPT"; threshold: type limit, track by_src, count 2, seconds 300; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC; sid: 5001482; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] MAC/IP length inconsistencies"; content: "MLS_STAT-SP-4-IP_LEN_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1; sid: 5001483; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IP Checksum detected"; content: "MLS_STAT-SP-4-IP_CSUM_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2; sid: 5001484; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address"; content: "MCAST-SP-6-ADDRESS_ALIASING_FALLBACK"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3; sid: 5001485; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] PIM Hold Time Out of range"; content: "MROUTE-3-TWHEEL_DELAY_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5; sid: 5001486; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created"; content: "MCAST-SP-6-GC_LIMIT_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6; sid: 5001487; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Internal Table Manager Parity Error"; content: "MISTRAL-SP-3-ERROR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7; sid: 5001488; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Short IP Packets Detected"; content: "MLS_STAT-4-IP_TOO_SHRT"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8; sid: 5001489; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Creating Session to module/slot failed"; content: "Processor"; content: "cannot service session requests"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor; sid: 5001490; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Firmware error detected"; content: "PM_SCP-1-LCP_FW_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9; sid: 5001491; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Error Condition"; content: "PM_SCP-2-LCP_FW_ERR_INFORM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error; sid: 5001492; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Error Detected [0/3]"; content: "PM_SCP-SP-2-LCP_FW_ERR_INFORM"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue; sid: 5001493; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported SFP GBIC Detected"; content: "PM_SCP-SP-3-TRANSCEIVER_BAD_EEPROM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey; sid: 5001494; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] TCAM Resource Exhaustion Detected"; content: "QM-4-TCAM_ENTRY"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM; sid: 5001495; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Supervisor Engine Parity Errors [0/3]"; content: "SYSTEM_CONTROLLER-SP-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity; sid: 5001496; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Memory Parity Error [0/3]"; content: "SYSTEM_CONTROLLER-SW2_SPSTBY-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller; sid: 5001497; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Linecard Endpoint Lost Sync"; content: "SP: Linecard endpoint of Channel 14 lost Sync"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141; sid: 5001498; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Misconfigured Boot Variables"; content: "SYSTEM-1-INITFAIL: Network boot is not supported"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot; sid: 5001499; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Time Outs [0/3]"; content: "CPU_MONITOR-3-TIMED_OUT"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001500; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Not Heard [0/3]"; content: "CPU_MONITOR-6-NOT_HEARD"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001501; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IDPROM Image"; content: "Invalid IDPROM image for"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom; sid: 5001502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Module Powered Off"; content: "C6KPWR-4-DISABLED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis; sid: 5001503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC Failed to Synchronize"; content: "ONLINE-SP-6-INITFAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail; sid: 5001504; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Flow Mask Request Failed"; content: "FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask; sid: 5001505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IGMP join packet Flood"; content: "MCAST-2-IGMP_SNOOP_DISABLE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop; sid: 5001506; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC/Pinnacle Unrecoverable resources"; content: "C6KERRDETECT-2-FIFOCRITLEVEL"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr; sid: 5001507; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Stalled"; content: "C6KERRDETECT-SP-4-SWBUSSTALL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001508; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Recovered"; content: "C6KERRDETECT-SP-4-SWBUSSTALL_RECOVERED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SP-RP ping test failed, High Traffic"; content: "SP-RP Ping Test[7]"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp; sid: 5001510; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Sub-interface Limit Reached"; content: "SW_VLAN-4-MAX_SUB_INT"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint; sid: 5001511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Hash Bucket Collision"; content: "MCAST-6-L2_HASH_BUCKET_COLLISION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash; sid: 5001512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] QoS Hardware Resources Exceeded"; content: "QM-4-AGG_POL_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg; sid: 5001513; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel MTU Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "MTU"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle; sid: 5001514; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel Flow Control Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "flow control"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port; sid: 5001515; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Route entries about to reach FIB capacity"; content: "CFIB-7-CFIB_EXCEPTION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception; sid: 5001516; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Data Path Error"; content: "CONST_DIAG-SP-3-HM_PORT_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport; sid: 5001517; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Bad CRC on ASIC Line Card"; content: "CONST_DIAG-SP-4-ERROR_COUNTER_WARNING"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module; sid: 5001518; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Detected Unknown Protocol"; content: "SYS-3-PORT_RX_BADCODE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode; sid: 5001519; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001625; sid: 5001625; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001686; sid: 5001686; rev:6;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] High CPU usage detected"; content: "HIGH CPU DETECTED"; threshold: type limit, track by_src, count 1, seconds 3600; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001626; sid: 5001626; rev:2;) # %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user cisco from 10.10.10.10 - sshd[27924] #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001668; sid: 5001668; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force [5/5]"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001670; sid: 5001670; rev:5;) # %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user cisco from 10.10.10.10 - sshd[27926] alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Illegal User SSH"; content: "%DAEMON-3-SYSTEM_MSG|3a|"; content: "sshd["; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001669; sid: 5001669; rev:5;) # %USER-3-SYSTEM_MSG: FATAL: bad tty - login (no program) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] FATAL - bad tty - login (no program)"; content: "%USER-3-SYSTEM_MSG|3a|"; content: "FATAL: bad tty"; content: "no program"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001671; sid: 5001671; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Auth to privilege 15 failed"; content: "%SYS-5-PRIV_AUTH_FAIL"; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001672; sid: 5001672; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Multicast storm detected"; content: "%STORM_CONTROL-3-FILTERED"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001673; sid: 5001673; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid ARP"; content: "%SW_DAI-4-INVALID_ARP"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001674; sid: 5001674; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Low FAN RPM - Service recommended"; content: "%ENVMON-4-FAN_LOW_RPM"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001688; sid: 5001688; rev:3;) # Submitted by Robert Nunley (rnunley@quadrantsec.com) - 08/14/2013 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Up"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is up"; classtype: system-event; parse_src_ipl 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001707; sid: 5001707; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Down"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is down"; classtype: system-event; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001708; sid: 5001708; rev:5;) # Submittied by Robert Nunley (rnunley@quadrantsec.com) - 11/18/2013 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Up"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Up"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001718; sid: 5001718; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Down"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Down"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001719; sid: 5001719; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Neighbor Removed From Topology"; content: "%BGP_SESSION-5-ADJCHANGE"; content: "neighbor"; content: "topology"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001720; sid: 5001720; rev:1;) # Submitted by Adam Hall (ahall@quadrantsec.com) - 11/18.2013 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP Requesting Active State"; content: "Grp"; content: "Coup"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001721; sid: 5001721; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%STANDBY-6-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001722; sid: 5001722; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%HSRP-5-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001723; sid: 5001723; rev:1;) # %PARSER-5-CFGLOG_LOGGEDCMD: User:bob logged command:!exec: enable #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Command logged"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: misc-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5001871; sid: 5001871; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Enable command executed"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; content: "exec"; nocase; content: "enable"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001872; sid: 5001872; rev:1;) # Jan 22 16:03:51: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: bob] [Source: 10.10.0.1] [localport: 22] at 16:03:51 UTC Wed Jan 22 2014 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Success"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: successful-admin; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001952; sid: 5001952; rev:1;) rules/mongodb.rules0000664000175000017500000001314212612177151013661 0ustar champchamp# Sagan mongodb.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # MongoDB rules. Created by Robert Nunley (rnunley@quadrantsec.com) # 09/13/2012 alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] replSet is going into maintenance mode"; content: "going"; content: "maintenance"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001609; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] replSet is leaving maintenance mode"; content: "leaving"; content: "maintenance"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001610; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] DBException causing immediate shutdown"; content: "dbexception"; content: "shutdown"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001595; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] IOS_Base exception causing immediate shutdown"; content: "ios_base"; content: "shutdown"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001596; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Bad allocation exception causing immediate shutdown"; content: "bad_alloc"; content: "shutdown"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001597; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Shutting down"; content: "shutdown"; content: "listening"; content: !"immediate"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001598; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Clock skew detected"; content: "clock skew"; content: !"large"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001599; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Large clock skew detected"; content: "clock skew"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001600; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Clock skew exception - shutting down"; content: "ClockSkew"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001601; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Terminating- Shutdown command received"; content: "terminating"; content: "command"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001602; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Handshake detected"; content: "handshake between"; classtype: tcp-connection; program: mongod; parse_src_ip: 1; reference: url,www.mongodb.org; sid: 5001603; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Auth: Could not find user"; content: "auth"; content: "couldn't"; content: "user"; classtype: unsuccessful-user; program: mongod; reference: url,www.mongodb.org; sid: 5001604; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Admin command received from client"; content: "admin"; content: "received"; content: "client"; classtype: successful-admin; program: mongod; reference: url,www.mongodb.org; sid: 5001605; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Attempting to sync"; content: "attempting"; content: "sync"; classtype: system-event; program: mongod; reference: url,www.mongodb.org; sid: 5001606; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Replauthenticate failed: Requires Admin permissions"; content: "requires admin"; content: "failing"; classtype: unsuccessful-admin; program: mongod; reference: url,www.mongodb.org; sid: 5001607; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 27017 (msg:"[MONGODB] Cannot authenticate to master server"; content: "can't authenticate"; content: "master server"; classtype: unsuccessful-user; program: mongod; reference: url,www.mongodb.org; sid: 5001608; rev:1;) rules/asterisk.rules0000664000175000017500000000723512612177151014067 0ustar champchamp# Sagan asterisk.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Warning message"; content: "WARN"; classtype: program-error; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000176; sid:5000176; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Warning message"; content: "ERROR"; classtype: program-error; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000177; sid:5000177; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Notice message"; content: "NOTICE"; classtype: program-error; program: asterisk; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000178; sid:5000178; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [0/5]"; content: "Wrong password"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000179; threshold:type limit, track by_src, count 5, seconds 900; sid:5000179; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid user] [0/5]"; content: "Username/auth name mismatch"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000180; threshold:type limit, track by_src, count 5, seconds 900; sid:5000180; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Login session failed [invalid extension] [0/5]"; content: "No matching peer found"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5000181; threshold:type limit, track by_src, count 5, seconds 900; sid:5000181; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ASTERISK] Invalid to address"; content: "Invalid to address"; classtype: unsuccessful-user; program: asterisk; reference: url,wiki.quadrantsec.com/bin/view/Main/5001065; sid: 5001065; rev:1;) rules/windows-owa-geoip.rules0000664000175000017500000000444112612177151015615 0ustar champchamp# Sagan windows-owa-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:33 10.1.2.1 POST /ews/exchange.asmx - 443 - 12.12.12.12 MS-WebServices/1.0 - - 401 0 0 0 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-GEOIP] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; country_code: track by_src, isnot $HOME_COUNTRY; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002265; sid: 5002265; rev:1;) rules/fortinet-normalize.rulebase0000664000175000017500000000415512612177151016540 0ustar champchamp# Sagan fortinet-rulebase.rulebase # Copyright (c) 2009-2014, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: time=%-:word% devname=%-:word% devid=%-:word% logid=%-:word% type=%-:word% subtype=%-:word% level=%-:word% vd=%-:word% srcip=%src-ip:ipv4% srcport=%src-port:number% srcintf=%-:word% dstip=%dst-ip:ipv4% dstport=%dst-port:number% dstintf=%-:word% %-:rest% rules/fortinet-geoip.rules0000664000175000017500000000632512612177151015174 0ustar champchamp# Sagan fortinet-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Login accepted from outside HOME_COUNTRY"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001947; sid: 5001947; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Administrator Login from outside HOME_COUNTRY"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001948; sid: 5001948; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] Admin authentication success outside HOME_COUNTRY"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001949; sid: 5001949; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-GEOIP] SSH traffic detected from outside HOME_COUNTRY"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001971; sid: 5001971; rev:4;) rules/cisco-aetas.rules0000664000175000017500000001147612612177151014437 0ustar champchamp# Sagan cisco-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN Login at suspicious time"; program: %ASA-6-716038; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002034; sid: 5002034; rev: 2;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Console login at suspicious time"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002035; sid: 5002035; rev: 2;) # 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] Login permitted at suspicious time"; program: %ASA-6-605005; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS;classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002036; sid: 5002036; rev: 2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] WebVPN login at suspicious time"; program: %ASA-6-716001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002037; sid: 5002037; rev: 2;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN disconnect at suspicious time"; program: %ASA-4-113019; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002038; sid: 5002038; rev: 2;) # 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-AETAS] VPN login at suspicious time"; program: %ASA-6-734001; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002039; sid: 5002039; rev: 2;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-AETAS] ACS Login success at suspicious time"; program: CisACS_01_PassedAuth; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002040; sid: 5002040; rev: 2;) rules/windows-normalize.rulebase0000664000175000017500000000523012612177151016373 0ustar champchamp# Sagan windows-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #prefix= # Note the space at the end! # #rule=: 529: NT AUTHORITY\\SYSTEM: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% #rule=: 529: S-1-5-18: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% rules/proftpd-aetas.rules0000664000175000017500000000407212612177151015007 0ustar champchamp# Sagan proftpd-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD-AETAS] Authentication success at suspicious time"; content: "Login successful"; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; parse_src_ip: 3; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002052; sid: 5002052; rev:3;) rules/classification.config0000664000175000017500000001272612612177151015351 0ustar champchamp# Sagan classification.config # Copyright (c) 2009-2012, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #************************************************************* # Sagan specific classifications! #************************************************************* config classification: correlated-attack,Correlated Attack,1 config classification: unsuccessful-admin,Unsuccessful Admin Privilege Gain,1 config classification: exploit-attempt,Exploit Attempt,1 config classification: program-error,Program Error,2 config classification: suspicious-command,Suspicious Command Execution,1 config classification: network-event,Network event,2 config classification: system-event,System event,2 config classification: configuration-change,Configuration Change,2 config classification: spam,Spam,3 config classification: permissions-violation,Attempted Access To File or Directory,3 config classification: suspicious-traffic,Suspicious Traffic,2 config classification: configuration-error,Configuration Error,2 config classification: hardware-event,Hardware Event,1 #************************************************************* # Snort's classifications #************************************************************* config classification: not-suspicious,Not Suspicious Traffic,3 config classification: unknown,Unknown Traffic,3 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,2 config classification: successful-recon-limited,Information Leak,2 config classification: successful-recon-largescale,Large Scale Information Leak,2 config classification: attempted-dos,Attempted Denial of Service,2 config classification: successful-dos,Denial of Service,2 config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 #************************************************************* # NEW Snort's classifications #************************************************************* config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable code was detected,1 config classification: string-detect,A suspicious string was detected,3 config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 config classification: system-call-detect,A system call was detected,2 config classification: tcp-connection,A TCP connection was detected,4 config classification: trojan-activity,A Network Trojan was detected, 1 config classification: unusual-client-port-connection,A client was using an unusual port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,access to a potentially vulnerable web application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: kickass-porn,SCORE! Get the lotion!,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 rules/openssh-normalize.rulebase0000664000175000017500000000635012612177151016364 0ustar champchamp# Sagan openssh-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: Invalid user %username:word% from %src-ip:ipv4% rule=: Failed %-:word% for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted %-:word% for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted keyboard-interactive/pam for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: error: PAM: Authentication failure for %username:word% from %src-ip:ipv4% rule=: error: PAM: Authentication failure for %username:word% from %src-host:word% rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% user=%username:word% rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% rule=: PAM %number:number% more authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: error: PAM: Authentication failure for illegal user %username:word% from %src-ip:ipv4% rule=: Failed password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rule=: Accepted gssapi-with-mic for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 rules/windows-owa-blacklist.rules0000664000175000017500000000410212612177151016454 0ustar champchamp# Sagan windows-owa-blacklist.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA-BLACKLIST] Login failure - Brute force [5/5]"; content: "/ews/exchange.asmx"; nocase; blacklist: by_src; classtype: suspicious-traffic; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002267; sid: 5002267; rev:1;) rules/cisco-correlated.rules0000664000175000017500000001112212612177151015452 0ustar champchamp# Sagan cisco-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Console login after suspicious activity"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002360; sid:5002360; rev: 3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] Login permitted after suspicious activity"; program: %ASA-6-605005; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002361; sid:5002361; rev: 3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA-6-716001|%ASA-6-716038; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002362; sid:5002362; rev: 3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN disconnect after suspicious activity"; program: %ASA-4-113019|%ASA-6-716002|%ASA-6-721018; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002363; sid:5002363; rev: 3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-CORRELATED] VPN login after suspicious activity"; program: %ASA-6-734001; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002364; sid:5002364; rev: 3;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] ACS Login success after suspicious activity"; program: CisACS_01_PassedAuth; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002365; sid:5002365; rev: 3;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] VPN login after suspicious activity [2]"; program: %ASA-6-722022|%ASA-6-722023; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002366; sid:5002366; rev: 3;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity"; program: %ASA-6-303002; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002367; sid:5002367; rev: 3;) alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-CORRELATED] FTP file transfer after suspicious activity [2]"; program: %ASA-6-303002; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; parse_src_ip: 1; parse_dst_ip: 2; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002368; sid:5002368; rev: 3;) rules/windows-mssql.rules0000664000175000017500000001077612612177151015075 0ustar champchamp# Sagan windows-mssql.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows based rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ # MSSQL$SERVER| 18456: Login failed for user 'DOMAIN\user'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: ] # MSSQL$XXX| 18453: Login succeeded for user 'DOMAIN\user'. Connection: trusted. [CLIENT: ] # MSSQLSERVER| 18456: Login failed for user 'BOB'. Reason: Failed to open the explicitly specified database. [CLIENT: 10.5.5.6] # |MSSQLSERVER| 19030: SQL Trace ID 2 was started by login "DOMAIN\user". # MSSQLSERVER| 19031: SQL Trace stopped. Trace ID = '2'. Login Name = 'DOMAIN\user'. # MSSQL$XXX| 833: SQL Server has encountered 1 occurrence(s) of I/O requests taking longer than 15 seconds to complete on file [E:\\Data\test.mdf] in database [] (17). The OS file handle is 0x0000000000000AF8. The offset of the latest long I/O is: 0x0000003a7a0000 # |MSSQLSERVER| 18451: Login failed for user 'DOMAIN\users'. Only administrators may connect at this time. [CLIENT: 10.1.6.1] # |MSSQLSERVER| 26022: Server is listening on # MSSQLSERVER| 18452: Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 10.1.3.9] # MSSQLSERVER| 17147: SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required. # 17162: SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required. #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MSSQL] Login Failure"; content: " 18456|3a| "; classtype: unsuccessful-user; program: MSSQL*; reference: url,wiki.quadrantsec.com/bin/view/Main/5001640; sid: 5001640; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MSSQL] Login Failure - Brute force [25/1]"; content: " 18456|3a| "; content:!"local machine"; content:!"named pipe"; parse_src_ip: 1; classtype: unsuccessful-user; program: MSSQL*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001641; sid: 5001641; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET $MSSQL_PORT (msg: "[WINDOWS-MSSQL] Login Failure from non-trusted connection - Brute force [25/1]"; content: " 18452|3a| "; parse_src_ip: 1; classtype: unsuccessful-user; program: MSSQL*; flowbits: set,brute_force, 86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002402; sid:5002402; rev:1;) rules/imapd-correlated.rules0000664000175000017500000000663212612177151015456 0ustar champchamp# Sagan imapd-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-CORRELATED] Login after suspicious activity"; program: imapd|imapd-ssl; content: "LOGIN,"; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002375; sid:5002375; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-CORRELATED] Logout after suspicious activity"; program: imapd|imapd-ssl; content: "LOGOUT,"; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002376; sid:5002376; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-CORRELATED] Timeout after suspicious activity"; program: imapd|imapd-ssl; content: "TIMEOUT,"; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002377; sid:5002377; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-CORRELATED] Disconnect after suspicious activity"; program: imapd|imapd-ssl; content: "DISCONNECTED,"; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002378; sid:5002378; rev: 1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $IMAP_PORT (msg: "[IMAPD-CORRELATED] Connection after suspicious activity"; program: imapd|imapd-ssl; content: "Connection,"; classtype: correlated-attack; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; reference: url, wiki.quadrantsec.com/bin/view/Main/5002379; sid:5002379; rev: 1;) rules/riverbed.rules0000664000175000017500000000630112612177151014035 0ustar champchamp# Sagan riverbed.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules # Champ Clark (04/15/2014) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED] Administrator Login"; content: "logged in"; content: "session count"; parse_src_ip: 1; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002030; program: webasd; sid: 5002030; rev:2;) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:42:55|webasd| [web.NOTICE]: web: User bob from 10.7.8.1 with the given password is not recognized: You must provide a valid account name and password. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED] Administrator Login Failure"; content: "password is not recognized"; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002031; program: webasd; sid: 5002031; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED] Administrator Login Failure - Brute Force [5/5]"; content: "password is not recognized"; parse_src_ip: 1; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002033; program: webasd; sid: 5002033; rev:1;) rules/riverbed-aetas.rules0000664000175000017500000000454612612177151015141 0ustar champchamp# Sagan riverbed-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules # Champ Clark (04/15/2014) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED-AETAS] Administrator Login at suspicious time"; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002053; program: webasd; sid: 5002053; rev:2;) rules/citrix-brointel.rules0000664000175000017500000000601312612177151015351 0ustar champchamp# Sagan citrix-brointel.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from Bro Intel IP (Champ Clark / 04/01/2015) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] Login from outside Bro Intel listed IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002262; sid: 5002262; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] AAA LOGIN_FAILED from Bro Intel listed IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002282; sid:5002282; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BROINTEL] SSLVPN HTTPREQUEST from Bro Intel listed IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; bro-intel: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002286; sid:5002286; rev:1;) rules/cisco-wlc.rules0000664000175000017500000003166712612177151014133 0ustar champchamp# Sagan cisco-wlc.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Rules for the Cisco WLC (Wireless LAN Controller) - The Cisco WLC doesn't always send everything via syslog. # For example, rogue AP detection can only be sent via snmptrap. You will need to setup SNMP-Trap on the # Cisco-WLC to point to the Sagan device. Setup snmptrapd on the Sagan device to receive the SNMP trap messages # and forward them to syslog. When snmptrapd is used, Sagan will look for the OID of the offending message. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Rogue AP detected [0/5]"; program: snmptrapd; content: "14179.2.6.3.36"; classtype: suspicious-traffic; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001689; sid:5001689; rev:2;) # Champ Clark (cclark@quadrantsec.com) - 08/27/2014 # # WLC IDS signatures. # Reference: http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html#para # Revision = 1.000 Name = "Bcast deauth", Ver = 0, Preced= 1, FrmType = mgmt, Pattern = 0:0x00C0:0x03FF, Pattern = 4:0x01:0x01, Freq=30, Quiet = 300, Action = report, Desc="Broadcast Deauthentication Frame" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Bcast Deauth"; program: snmptrapd; content: "signatureName=Bcast deauth"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002104; sid:5002104; rev:1;) # Name = "NULL probe resp 1", Ver = 0, Preced = 2, FrmType = mgmt, Pattern = 0:0x0050:0x03FF, Pattern = 36:0x0000:0xFFFF, Freq=1, Quiet = 300, Action = report, Desc = "NULL Probe Response - Zero length SSID element" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Null probe resp 1"; program: snmptrapd; content: "signatureName=NULL probe resp 1"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002105; sid:5002105; rev:1;) # Name = "NULL probe resp 2", Ver = 0, Preced = 3, FrmType = mgmt, Pattern = 0:0x0050:0x03FF, Pattern = !36:0x00:0xFF, Freq=1, Quiet = 300, Action = report, Desc = "NULL Probe Response - No SSID element" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Null probe resp 2"; program: snmptrapd; content: "signatureName=NULL probe resp 2"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002106; sid:5002106; rev:1;) # Name = "Assoc flood", Ver = 0, Preced= 4, FrmType = mgmt, Pattern = 0:0x0000:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Association Request flood" Name = "Auth Flood", Ver = 0, Preced= 5, FrmType = mgmt, Pattern = 0: 0x00b0: 0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Authentication Request flood" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Assoc Flood"; program: snmptrapd; content: "signatureName=Assoc flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002107; sid:5002107; rev:1;) # Name = "Reassoc flood", Ver = 0, Preced= 5, FrmType = mgmt, Pattern = 0:0x0020:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Reassociation Request flood" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Reassoc Flood"; program: snmptrapd; content: "signatureName=Reassoc flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002108; sid:5002108; rev:1;) # Name = "Broadcast Probe flood", Ver = 0, Preced= 6, FrmType = mgmt, Pattern = 0:0x0040:0x03FF, Pattern = 4:0x01:0x01, Pattern = 24:0x0000:0xFFFF, Freq=50, Quiet = 600, Action = report, Desc="Broadcast Probe Request flood" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Broadcast Probe flood"; program: snmptrapd; content: "signatureName=Broadcast Probe flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002109; sid:5002109; rev:1;) # Name = "Disassoc flood", Ver = 0, Preced= 7, FrmType = mgmt, Pattern = 0:0x00A0:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Disassociation flood" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Disassoc flood"; program: snmptrapd; content: "signatureName=Disassoc flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002110; sid:5002110; rev:1;) # Name = "Deauth flood", Ver = 0, Preced= 8, FrmType = mgmt, Pattern = 0:0x00C0:0x03FF, Freq=50, Quiet = 600, Action = report, Desc="Deauthentication flood" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Deauth flood"; program: snmptrapd; content: "signatureName=Deauth flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002111; sid:5002111; rev:1;) # Name = "Res mgmt 6 & 7", Ver = 0, Preced= 9, FrmType = mgmt, Pattern = 0:0x0060:0x03EF, Freq=5, Quiet = 600, Action = report, Desc="Reserved management sub-types 6 and 7" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Res mgmt 6 & 7"; program: snmptrapd; content: "signatureName=Res mgmt 6 & 7"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002112; sid:5002112; rev:1;) # Name = "Res mgmt D", Ver = 0, Preced= 10, FrmType = mgmt, Pattern = 0:0x00D0:0x03FF, Freq=5, Quiet = 600, Action = report, Desc="Reserved management sub-type D" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Res mgmt D"; program: snmptrapd; content: "signatureName=Res mgmt D"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002113; sid:5002113; rev:1;) # Name = "Res mgmt E & F", Ver = 0, Preced= 11, FrmType = mgmt, Pattern = 0:0x00E0:0x03EF, Freq=5, Quiet = 600, Action = report, Desc="Reserved management sub-types E and F" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Res mgmt E & F"; program: snmptrapd; content: "signatureName=Res mgmt E & F"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002114; sid:5002114; rev:1;) # Name = "EAPOL flood", Ver = 0, Preced= 12, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 30:0x888E:0xFFFF, Freq=50, Quiet = 300, Action = report, Desc="EAPOL Flood Attack" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] EAPOL flood"; program: snmptrapd; content: "signatureName=EAPOL flood"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002115; sid:5002115; rev:1;) # Name = "NetStumbler 3.2.0", Ver = 0, Preced= 13, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Pattern = 36:0x466c7572:0xFFFFFFFF, Freq = 1, Quiet = 300, Action = report, Desc="NetStumbler 3.2.0" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler 3.2.0 detected"; program: snmptrapd; content: "signatureName=NetStumbler 3.2.0"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002116; sid:5002116; rev:1;) # Name = "NetStumbler 3.2.3", Ver = 0, Preced= 14, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Pattern = 36:0x416C6C20:0xFFFFFFFF, Freq = 1, Quiet = 600, Action = report, Desc="NetStumbler 3.2.3" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler 3.2.3 detected"; program: snmptrapd; content: "signatureName=NetStumbler 3.2.3"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002117; sid:5002117; rev:1;) # Name = "NetStumbler 3.3.0", Ver = 0, Preced= 15, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Pattern = 36:0x20202020:0xFFFFFFFF, Freq = 1, Quiet = 600, Action = report, Desc="NetStumbler 3.3.0" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler 3.3.0 detected"; program: snmptrapd; content: "signatureName=NetStumbler 3.3.0"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002118; sid:5002118; rev:1;) # Name = "NetStumbler generic", Ver = 0, Preced= 16, FrmType = data, Pattern = 0:0x0108:0x03FF, Pattern = 27:0x00601d:0xFFFFFF, Pattern = 30:0x0001:0xFFFF, Freq = 1, Quiet = 600, Action = report, Desc="NetStumbler" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] NetStumbler generic detected"; program: snmptrapd; content: "signatureName=NetStumbler generic"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002119; sid:5002119; rev:1;) # Name = "Wellenreiter", Ver = 0, Preced= 17, FrmType = mgmt, Pattern = 0:0x0040:0x03FF, Pattern = 24:0x001d746869735f69735f757365645f666f725f77656c6c656e726569: 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff, Freq = 1, Quiet = 600, Action = report, Desc="Wellenreiter" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Wellenreiter detected"; program: snmptrapd; content: "signatureName=Wellenreiter"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002120; sid:5002120; rev:1;) # Big NAV Dos attack from AP with Base Radio MAC 00:0f:23:xx:xx:xx, Slot ID 0 and Source MAC 00:00:00:00:00:00 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-WLC] Big NAV Dos attack"; program: snmptrapd; content: "Big NAV Dos attack"; classtype: suspicious-traffic; reference: url,www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html; reference: url,wiki.quadrantsec.com/bin/view/Main/5002121; sid:5002121; rev:1;) rules/sonicwall.rules0000664000175000017500000000554412612177151014236 0ustar champchamp# Sagan sonicwall.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible TCP Port Scan"; content: "Possible port scan detected"; content: "TCP scanned port list"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001083; sid: 5001083; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] Possible UDP Port Scan"; content: "Possible port scan detected"; content: "UDP scanned port list"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001085; sid: 5001085; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; content: "ICMP PING"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001084; sid: 5001084; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[SONICWALL] IPS Detection Alert"; content: "IPS Detection Alert"; classtype: network-scan; normalize: sonicwall; reference: url,wiki.quadrantsec.com/bin/view/Main/5001090; sid: 5001090; rev:2;) rules/deleted.rules0000664000175000017500000002213412612177151013643 0ustar champchamp# Sagan deleted.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Where rules go to die & why. #************************************************************* # Champ Clark - 09/17/2014 - Would be better for meta_content, if we event want to do this! #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [a]"; pcre: "/invalid user|illegal user/i"; content: "user a "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001106; sid: 5001106; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [admin]"; pcre: "/invalid user|illegal user/i"; content: "user admin "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001107; sid: 5001107; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [ftp]"; pcre: "/invalid user|illegal user/i"; content: "user ftp "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001108; sid: 5001108; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [guest]"; pcre: "/invalid user|illegal user/i"; content: "user guest "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001109; sid: 5001109; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [info]"; pcre: "/invalid user|illegal user/i"; content: "user info "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001110; sid: 5001110; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [mysql]"; pcre: "/invalid user|illegal user/i"; content: "user mysql "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001111; sid: 5001111; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [nagios]"; pcre: "/invalid user|illegal user/i"; content: "user nagios "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001112; sid: 5001112; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [oracle]"; pcre: "/invalid user|illegal user/i"; content: "user oracle "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001113; sid: 5001113; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [postgres]"; pcre: "/invalid user|illegal user/i"; content: "user postgres "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001114; sid: 5001114; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [test]"; pcre: "/invalid user|illegal user/i"; content: "user test "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001115; sid: 5001115; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [user]"; pcre: "/invalid user|illegal user/i"; content: "user user "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001116; sid: 5001116; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [web]"; pcre: "/invalid user|illegal user/i"; content: "user web "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001117; sid: 5001117; rev:4;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [webmaster]"; pcre: "/invalid user|illegal user/i"; content: "user webmaster "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001118; sid: 5001118; rev:5;) #drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Invalid or illegal user [apache]"; pcre: "/invalid user|illegal user/i"; content: "user apache "; flowbits: set, illegal_user.unix.ssh&illegal_user.generic, 300; classtype: attempted-user; program: sshd; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001119; sid: 5001119; rev:5;) # Champ Clark - 09/17/2014 - Never used. #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Accepted publickey"; content: "Accepted publickey" ; classtype: successful-user; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000406; sid:5000406; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Session closed"; content: "session closed for" ; classtype: not-suspicious; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000407; sid:5000407; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Received disconnect"; content: "Received disconnect from"; classtype: not-suspicious; program: sshd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000408; sid:5000408; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH] Authentication success"; pcre: "/accepted|authenticated/i"; classtype: successful-user; normalize: openssh; program: sshd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000075; sid: 5000075; rev:3;) rules/smtp-normalize.rulebase0000664000175000017500000000455612612177151015676 0ustar champchamp# Sagan smtp.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= rule=: %-:word% %-:word% [%src-ip:ipv4%]: expn %username:word% # p0IGs29E022795: ruleset=check_rcpt, arg1=, relay=mailhost.example.com [192.168.0.1], reject=553 5.1.8 ... Domain of sender address bogus@example.com does not exist rule=: %-:word% ruleset=check_rcpt, %-:word% relay=%y:word% [%src-ip:ipv4%] (may be forged), reject=%-:number% %-:rest% # p0I3FCpA013475: [192.168.0.1]: Possible SMTP RCPT flood, throttling. rule=: %-:word%: [%src-ip:ipv4%]: Possible SMTP RCPT flood, throttling. rules/ftpd.rules0000664000175000017500000001314712612177151013176 0ustar champchamp# Sagan ftpd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] FTP Login refused"; content: "FTP LOGIN REFUSED"; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000182; sid:5000182; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] File created"; content: " created "; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000183; sid:5000183; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] File deleted"; content: " deleted "; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000184; sid:5000184; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User uploaded a file to server"; content: "IMPORT file"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000185; sid:5000185; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User downloaded a file to server"; content: "EXPORT file"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000186; sid:5000186; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Remote host connected to FTP server"; pcre: "/FTP LOGIN FROM|connection from|connect from/"; classtype: successful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000187; sid:5000187; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Connection blocked by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000188; sid:5000188; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Reverse lookup failure"; pcre: "/can't verify hostname|gethostbyaddr/"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000189; sid:5000189; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Multiple failed login attempts"; content: "repeated login failures"; classtype: misc-attack; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000190; sid:5000190; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] User disconnected due to time out"; content: "timed out after"; classtype: not-suspicious; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000191; sid:5000191; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Attempted access to a disabled account"; content: "Account is disabled"; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000192; sid:5000192; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Failed authentication"; content: "failed authentication from"; nocase; classtype: unsuccessful-user; program: ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001522; sid:5001522; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[FTPD] Failed authentication - Brute force [5/5]"; content: "failed authentication from"; nocase; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: ftpd; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5000193; sid:5000193; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[FTPD] User logged into an disabled account"; content: "FTP LOGIN FROM"; pcre: "/ apachei | mysql | www | nobody | nogroup | portmap | named | rpc | mail | ftp | shutdown | halt | daemon | bin | postfix | shell | info | guest | psql | user | users | console | uucp | lp | sync | sshd | cdrom | ossec | sagan /"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000412; program: sshd; sid: 5000412; rev:3;) rules/samba.rules0000664000175000017500000000610012612177151013313 0ustar champchamp# Sagan samba.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Startup network problem"; content: "getpeername failed. Error was Transport endpoint"; classtype: program-error; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000145; sid: 5000145; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection denied"; pcre: "/denied connection from|connection denied from/i"; nocase; classtype: unsuccessful-user; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000146; sid: 5000146; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Connection reset by peer"; content: "Connection reset by peer"; classtype: not-suspicious; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000147; sid: 5000147; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] User action denied by configuration"; content: "Permission denied"; classtype: unsuccessful-user; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000375; sid: 5000375; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[SAMBA] Unable to connect to CUPS server"; content: "Unable to connect to CUPS server"; classtype: program-error; program: smbd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000148; sid: 5000148; rev:1;) rules/proxy-malware.rules0000664000175000017500000004552212612177151015052 0ustar champchamp# Sagan proxy-malware.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These rules can be used to detect malware connections from generic proxy devices. For example, Squid, Apache, # Fortigate firewalls, Bluecoat proxies, etc. They are generic rules meant to look for indications of malware # within a network based on "access" type logs. #************************************************************* alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORT (msg: "[PROXY-MALWARE] Pony Trojan"; content: "ponyb/gate.php"; classtype: exploit-attempt; reference: url,wiki.quadrantsec.com/bin/view/Main/5001739; sid: 5001739; rev:1;) # Rules create by Robert Nunley (rnunley@quadrantsec.com) - 01/08/2013 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 1"; content: "/Gallery/IMAG0081.GIF"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001882; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 2"; content: "/btn001/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001883; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 3"; content: "/bugzy/i.cfg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001884; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 4"; content: "/cfg2"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001885; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 5"; content: "/cfg3.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001886; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 6"; content: "/cnf/trl.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001887; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 7"; content: "/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001888; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 8"; content: "/dzen/misc.inc.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001889; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 9"; content: "/film/video.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001890; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 10"; content: "/ftr/vosmoipoint.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001891; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 11"; content: "/ftr/vosmoipont.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001892; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 12"; content: "/gkt/gld44.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001893; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 13"; content: "/good/tlz/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001894; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 14"; content: "/gus/pool.doc"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001895; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 15"; content: "/ii1IGh.aeL8uf"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001896; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 16"; content: "/im/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001897; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 17"; content: "/img/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001898; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 18"; content: "/index_files/4jpg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001899; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 19"; content: "/inmake/lds/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001900; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 20"; content: "/kartos/kartos.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001901; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 21"; content: "/ldr/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001902; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 22"; content: "/n2.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001903; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 23"; content: "/norma/cf5.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001904; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 24"; content: "/ribbn.tar"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001905; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 25"; content: "/s2/non.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001906; rev:2;) # Triggers to much on valid sites - 04/12/2014 - Champ Clark III #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 26"; content: "/sell.jpg"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001907; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 27"; content: "/test/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001908; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 28"; content: "/ukk/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001909; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 29"; content: "/web/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001910; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 30"; content: "/z/config1.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001911; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 31"; content: "/z_bot/what.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001912; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 32"; content: "/zend/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001913; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 33"; content: "/zeus/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001914; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 34"; content: "/zs/cfg.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001915; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 35"; content: "/~am/szkolapanel/zs/config.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001916; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus bin Request 36"; content: "/~update/serv/updtsys.bin"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001917; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 1"; content: "/4vnrye74mugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001918; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 2"; content: "/4vnrye74vmugh.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001919; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 3"; content: "/DZ3LOrAFpl.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001920; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 4"; content: "/back11/stat1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001921; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 5"; content: "/btn001/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001922; rev:2;) # Triggers to much on valid sites - 04/12/2014 - Champ Clark III #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 6"; content: "/buy.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001923; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 7"; content: "/dd7ejr8ehd8jrf.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001924; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 8"; content: "/dzen/as9965767.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001925; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 9"; content: "/free/wthong.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001926; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 10"; content: "/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001927; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 11"; content: "/good/socialnetworks/all4love/peage.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001928; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 12"; content: "/iXeij7Ai.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001929; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 13"; content: "/im/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001930; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 14"; content: "/img/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001931; rev:2;) # Triggers to much on valid sites - 04/12/2014 - Champ Clark III #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 15"; content: "/index1.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001932; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 16"; content: "/inmake/page/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001933; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 17"; content: "/kartos/youyou.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001934; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 18"; content: "/test/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001935; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 19"; content: "/trl/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001936; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 20"; content: "/vvn/ci_g.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001937; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 21"; content: "/web/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001938; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 22"; content: "/z/s.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001939; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 23"; content: "/z_bot/bot_adented.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001940; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 24"; content: "/zend/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001941; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Zeus php Request 25"; content: "/zs/gate.php"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,labs.snort.org/papers/zeus.html; classtype:trojan-activity; sid: 5001942; rev:2;) # Triggers on tor2web services - 06/09/2014 - Champ Clark III alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Tor2www Request"; content: ".tor2www."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2www.com; classtype:trojan-activity; sid: 5002061; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Tor2web Request"; content: ".tor2web."; parse_src_ip: 1; parse_dst_ip: 2; reference:url,www.tor2web.org; classtype:trojan-activity; sid: 5002062; rev:2;) # https://isc.sans.edu/forums/diary/PCRE+for+malware+audits/18949 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "[PROXY-MALWARE] Fiesta malware request"; pcre: "/(http:\/\/[^\x2f]+\/[a-z0-9]{6,}_[0-9]+_[a-f0-9]{32}\.html|\/[a-f0-9]{60,66}(?:\x3b\d+){1,4}|\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}|\/[0-9a-z]{32}.php\?[a-z]{1,3}=[0-9a-z]{32})/"; parse_src_ip: 1; parse_dst_ip: 2; reference:url,wiki.quadrantsec.com/bin/view/Main/5002214; classtype:trojan-activity; sid: 5002214; rev:2;) rules/procurve.rules0000664000175000017500000000702412612177151014103 0ustar champchamp# Sagan procurve.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The rules below are based on SWITCH and L3-SWITCH. The L3 switches are # the 5300/8200 model chassis switches. The plain E-series are the L2 # access/edge switches. - John Babio / ESU alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Invalid username/password"; program: auth; content:"Invalid user name/password"; classtype: unsuccessful-user; sid:5001120; reference: url,wiki.quadrantsec.com/bin/view/Main/5001120; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] port is off-line"; program: ports; content:"is now off-line; classtype: network-event; sid: 5001121; reference: url,wiki.quadrantsec.com/bin/view/Main/5001121; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] System went down:"; program: system; content:"System went down:"; classtype: network-event; sid: 5001122; reference: url,wiki.quadrantsec.com/bin/view/Main/5001122; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-SWITCH] Port Security Violation"; program: FFI; pcre: "/Security Violation/i"; normalize: procurve; classtype: policy-violation; sid: 5001123; reference: url,wiki.quadrantsec.com/bin/view/Main/5001123; rev:1;) # The "program" becomes the alert ID. So no "content:" is needed - Champ Clark III 06/25/2012 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] port is off-line"; program: 00077; classtype: network-event; sid: 5001124; reference: url,wiki.quadrantsec.com/bin/view/Main/5001124; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[HP-E-SERIES-L3-SWITCH] Invalid username/password"; program: 00419; classtype: unsuccessful-user; sid: 5001125; reference: url,wiki.quadrantsec.com/bin/view/Main/5001125; rev:1;) rules/sonicwall-normalize.rulebase0000664000175000017500000000554112612177151016701 0ustar champchamp# Sagan sonicwall.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # rememer the space at the end of the rule.. Also " counts as part of a %thing:word% #prefix=id=%firewall:word% sn=%serial:word% time="%date:word% %hour:number%:%minute:number%:%seconds:number%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% prefix=id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% rule=: msg="Possible port scan detected" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% note=%ports-scanned:quoted-string% #rule=: msg="%alert:char-to:\x22%" sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% rule=: msg=%alert:quoted-string% sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% rules/ssh-tectia-server-aetas.rules0000664000175000017500000000434312612177151016702 0ustar champchamp# Sagan ssh-tectia-server-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER-AETAS] Authentication success at suspicious time"; content: "Login_success"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002054; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; sid: 5002054; rev:2;) rules/nginx.rules0000664000175000017500000000747612612177151013374 0ustar champchamp# Sagan nginx.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx error message"; pcre: "/^\S+ \S+ [error]/i"; classtype: program-error; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000168; sid: 5000168; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx warning message"; pcre: "/^\S+ \S+ [warn]/i"; classtype: program-error; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000169; sid:5000169; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx critical message"; pcre: "/^\S+ \S+ [crit]/i"; classtype: program-error; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000170; sid:5000170; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx 404 error"; pcre: "/no such file or directory|is not found/i"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000171; sid:5000171; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Incomplete client request"; content: "Software caused connection abort"; classtype: suspicious-traffic; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000172; sid:5000172; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Initial 401 authentication request"; content: "no user/password was provided for basic authentication"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000173; sid:5000173; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Web authentication failed"; pcre: "/password mismatch, client|was not found in/i"; classtype: unsuccessful-user; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000174; sid:5000174; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[NGINX] Nginx Invalid URI, file name too long"; content: "File name too long"; classtype: suspicious-filename-detect; program: nginx; reference: url,wiki.quadrantsec.com/bin/view/Main/5000175; sid:5000175; rev:1;) rules/cisco-geoip.rules0000664000175000017500000001442612612177151014443 0ustar champchamp# Sagan cisco-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN Login from outside HOME_COUNTRY"; program: %ASA-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001868; sid: 5001868; rev: 1;) # %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: testuser] [Source: 10.10.10.10] [localport: 22] at 05:00:13 EST Sun Dec 1 2013 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Console login from outside HOME_COUNTRY"; program: %SEC_LOGIN-5-LOGIN_SUCCESS; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001869; sid: 5001869; rev: 1;) # 10.1.2.1|local4|info|info|a6|2013-12-02|08:00:03|%ASA-6-605005| Login permitted from 10.1.1.1/54112 to inside:10.1.2.1/ssh for user "bob" alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] Login permitted from outside HOME_COUNTRY"; program: %ASA-6-605005; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001879; sid: 5001879; rev: 1;) # WebVPN from outside HOME_COUNTRY alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA-6-716001|%ASA-6-716038; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001950; sid: 5001950; rev: 2;) # Group = AnyConnect, Username = bob, IP = 10.10.10.10, Session disconnected. Session Type: SSL, Duration: 12h:00m:19s, Bytes xmt: 332468520, Bytes rcv: 130276830, Reason: Max time exceeded alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN disconnect from outside HOME_COUNTRY"; program: %ASA-4-113019|%ASA-6-716002|%ASA-6-721018; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001962; sid: 5001962; rev: 1;) # 10.8.5.10|local4|info|info|a6|2014-02-18|02:12:41|%ASA-6-734001| DAP: User bob, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTPS_PORT (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY"; program: %ASA-6-734001; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5001964; sid: 5001964; rev: 1;) # Cisco ACS (via VPN) - authentication success # 10.10.10.10|auth|info|info|26|2014-02-20|16:26:58|CisACS_01_PassedAuth| 12s245v32 1 0 Message-Type=Authen OK,User-Name=BOB,NAS-IP-Address=172.16.1.1,Caller-ID=199.44.66.11,NAS-Port=58642432,Group-Name=VPN Users,Filter Information=No Filters activated., alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] ACS Login success from outside HOME_COUNTRY"; program: CisACS_01_PassedAuth; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5001977; sid: 5001977; rev: 1;) # 2014-05-07 09:32:45|10.8.0.5|129815|local4|info|info|%ASA-6-722022| Group User IP <10.10.102.102> UDP SVC connection established without compression alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] VPN login from outside HOME_COUNTRY [2]"; program: %ASA-6-722022|%ASA-6-722023; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; parse_src_ip: 1; reference: url, wiki.quadrantsec.com/bin/view/Main/5002058; sid: 5002058; rev: 1;) # 2014-05-07 16:41:47|192.168.1.1|7050594|local0|info|info|%ASA-6-303002| FTP connection from inside:10.20.11.20/2351 to dmz:192.168.1.1/21, user bob Stored file somefile # Track by source alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY"; program: %ASA-6-303002; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; normalize: cisco; reference: url, wiki.quadrantsec.com/bin/view/Main/5002059; sid: 5002059; rev: 4;) # Track by dest alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[CISCO-GEOIP] FTP file transfer from outside HOME_COUNTRY"; program: %ASA-6-303002; country_code: track by_dst, isnot $HOME_COUNTRY; classtype: successful-user; normalize: cisco; parse_src_ip: 1; parse_dst_ip: 2; reference: url, wiki.quadrantsec.com/bin/view/Main/5002060; sid: 5002060; rev: 3;) rules/arp-normalize.rulebase0000664000175000017500000000410412612177151015462 0ustar champchamp# Sagan arp-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # arpalert # seq=277, mac=00:01:d7:35:55:06, ip=172.22.1.53, reference=172.22.2.69, type=ip_change, dev=eth0, vendor="F5 Networks, Inc." rule=: seq=%-:word%, mac=%-:word%, ip=%src-ip:ipv4%, reference=%dst-ip:ipv4%, %-:rest% rules/citrix-normalize.rulesbase0000664000175000017500000000543512612177151016375 0ustar champchamp# Sagan citrix-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # 16:04:31 GMT server1 PPE-1 : AAA LOGIN_FAILED 71011157 : User bob - Client_ip 12.12.12.12 - Failure_reason "External authentication server denied access" rule=: %-:word% %-:word% %-:word% %-:word% : AAA LOGIN_FAILED %-:word% : User %username:word% - Client_ip %src-ip:ipv4% - Failure_reason %-:rest% # 16:23:29 GMT server1 PPE-0 : SSLVPN LOGIN 75181906 : Context bob@12.12.12.12 - SessionId: 11147- User bob - Client_ip 12.12.12.12 - Nat_ip "Mapped Ip" - Vserver 192.168.1.1:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" - SSLVPN_client_type Clientless - Group(s) "N/A" rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGIN %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGOUT %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest% rules/squid.rules0000664000175000017500000001031112612177151013354 0ustar champchamp# Sagan squid.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for these rules to function with Squid, you'll need: # "access_log syslog" in your squid.conf . alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] TCP_DENIED"; content: "TCP_DENIED"; classtype: suspicious-traffic; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000043; sid: 5000043; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] TCP_DENIED unsupported-request-method"; content: "TCP_DENIED"; content: "unsupported-request-method"; classtype: suspicious-traffic; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000044; sid: 5000044; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] TCP_DENIED invalid-request"; content: "TCP_DENIED"; content: "invalid-request"; classtype: suspicious-traffic; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000045; sid: 5000045; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] @CGIDIRScgiwrap attempt"; content: "@CGIDIRScgiwrap"; classtype: web-application-activity; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000046; sid: 5000046; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] Directory traversal attempt"; content: "../.."; classtype: web-application-attack; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000047; sid: 5000047; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg: "[SQUID] XSS attempt"; content: ""; classtype: suspicious-traffic; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000048; sid: 5000048; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] 'passwd' access attempt"; content: "passwd"; classtype: web-application-attack; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000049; sid: 5000049; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] Directory traversal attempt"; content: "///"; classtype: web-application-attack; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000050; sid: 5000050; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"[SQUID] MSG Messenger access"; content: "x-msn-messenger"; classtype: policy-violation; program: squid|(squid); reference: url,wiki.quadrantsec.com/bin/view/Main/5000387; sid: 5000387; rev:1;) rules/apache.rules0000664000175000017500000004622312612177151013463 0ustar champchamp# Sagan apache.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for you to receive Apache logs via syslog, you'll need change your "CustomLog" configuration # entry in your Apache config to something like: # # CustomLog "|/usr/bin/logger -i -p local0.info -t apache2" common # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT ( msg:"[APACHE] Segmentation fault"; content: "signal Segmentation Fault"; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000155; sid:5000155; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type limit, track by_src, count 5, seconds 300; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type limit, track by_src, count 5, seconds 300; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Client sent malformed Host header"; content: "Client sent malformed Host header"; classtype: string-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000158; parse_src_ip: 1; sid:5000158; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] User authentication failed"; content: "authentication failed"; nocase; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000159; parse_src_ip: 1; sid:5000159; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:type limit, track by_src, count 20, seconds 60; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:7;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; classtype: attempted-recon; flowbits: set, recon, 86400; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000362; rev:9;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000364; rev:6;) # CVE-2014-6271 (09/24/2014 - Champ Clark III) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29 20 7b 20|"; program: apache|httpd; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:5;) # CVE-2014-6271 (09/30/2014 - Champ Clark III) - These are modified Emerging Threats rules alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; content:"%28%29|20|{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002181; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; content:"%28%29|20|{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002182; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; content:"%28%29|20|%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002183; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; content:"%28%29|20|%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002184; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; content:"%28%29%20{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002185; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; content:"%28%29%20{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002186; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; content:"%28%29%20%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002187; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; content:"%28%29%20%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002188; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; content:"%28|20|{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002189; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; content:"%28|20|{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002190; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; content:"%28|20|%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002212; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; content:"%28|20|%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002191; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; content:"%28%20{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002192; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; content:"%28%20{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002193; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; content:"%28%20%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002194; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; content:"%28%20%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002195; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; content:"|28|%29|20|{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002196; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; content:"|28|%29|20|{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002197; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; content:"|28|%29|20|%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002198; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; content:"|28|%29|20|%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002199; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; content:"|28|%29%20{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002200; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; content:"|28|%29%20{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002201; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; content:"|28|%29%20%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002202; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; content:"|28|%29%20%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002203; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; content:"|28 29 20|{%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002204; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; content:"|28 29 20|%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002205; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; content:"|28 29 20|%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002206; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; content:"|29 29|%20{|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002207; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; content:"|28 29|%20%7b|20|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002208; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; content:"|28 29|%20%7b%20"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:5002209; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; content:"|28 29 0a 20 7b|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:5002210; rev:2;) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; content:"|28 29 0d 0a 20 7b|"; program: apache|httpd; flowbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:5002211; rev:1;) rules/windows-blacklist.rules0000664000175000017500000010364112612177151015700 0ustar champchamp# Sagan windows-blacklist.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ************************************************************* # Windows blacklist rules. # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-BLACKLIST] RDP / Logon type 10 from a blacklisted IP"; program: Security*; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; blacklist: by_src; program: Security*; parse_src_ip: 1; normalize: windows; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002215; sid: 5002215; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [0/5]"; program: Security*; content: " 529|3a| "; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5002216; sid: 5002216; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP [Time restriction] [0/5]"; content: " 530|3a| "; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: windows; reference: url,wiki.quadrantsec.com/bin/view/Main/5002217; sid: 5002217; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account currently disabled [0/5]"; content: " 531|3a| "; content:!"User Name|3a| Domain|3a|"; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5002218; sid: 5002218; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Specified account expired"; content: " 532|3a| "; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002219; sid: 5002219; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - User not allowed to login at this computer"; content: " 533|3a| "; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002220; sid: 5002220; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from blacklisted IP - Account locked [0/1]"; content: " 539|3a| "; content:!"User Name|3a| Domain|3a| Logon Type|3a|"; classtype: unsuccessful-user; blacklist: by_src; threshold: type limit, track by_src, count 5, seconds 300; parse_src_ip: 1; parse_port; normalize: windows; fwsam: src, 1 day; program: Security*; reference: url,wiki.quadrantsec.com/bin/view/Main/5002222; sid: 5002222; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Logon Failure from blacklisted IP"; pcre: "/ 675: | 676: | 681: /"; classtype: unsuccessful-user; program: Security*; blacklist: by_src; normalize: windows; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002223; sid: 5002223; rev:1;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/19/2015 #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Name Does Not Exist [Brute Force] [25/1]"; content: "C0000064"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Source"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; parse_src_ip: 1; blacklist: by_src; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002509; sid: 5002509; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Correct but Incorrect Password [Brute Force] [25/1]"; content: "C000006A"; nocase; pcre: "/ 4625: | 4776: /"; content:!"$ Account Domain|3a| "; flowbits: set,brute_force,86400; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002510; sid: 5002510; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Is Locked Out [Brute Force] [25/1]"; content: "C0000234"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002511; sid: 5002511; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Account Disabled [Brute Force] [25/1]"; content: "C0000072"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002512; sid: 5002512; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - User Login Attempts Outside of Time Restriction [Brute Force] [25/1]"; content: "C000006F"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002513; sid: 5002513; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Account [Brute Force] [25/1]"; content: "C0000193"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002514; sid: 5002514; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Login failure from a blacklisted IP - Expired Password [Brute Force] [25/1]"; content: "C0000071"; nocase; pcre: "/ 4625: | 4776: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002515; sid: 5002515; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1 - Client's entry in database has expired [25/1]"; content: " 0x1 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002516; sid: 5002516; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2 - Server's entry in database has expired [25/1]"; content: " 0x2 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002517; sid: 5002517; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3 - Requested protocol version # not supported [25/1]"; content: " 0x3 Client "; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002518; sid: 5002518; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x4 - Client's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x4 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002519; sid: 5002519; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x5 - Server's key encrypted in old master key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x5 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002520; sid: 5002520; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x6 - Client not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x6 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002521; sid: 5002521; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x7 - Server not found in Kerberos database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x7 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002522; sid: 5002522; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x8 - Multiple principal entries in database [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x8 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002523; sid: 5002523; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x9 - The client or server has a null key [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x9 Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002524; sid: 5002524; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xA - Ticket not eligible for postdating [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xA Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002525; sid: 5002525; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xB - Requested start time is later than end time [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xB Client "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002526; sid: 5002526; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xC - KDC policy rejects request [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xC "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002527; sid: 5002527; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xD - KDC cannot accommodate requested option [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xD "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002528; sid: 5002528; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0xE - KDC has no support for encryption type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xE "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002529; sid: 5002529; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - B4ute force 0xF - KDC has no support for checksum type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0xF "; classtype: unsuccessful-user; program: Security*; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002530; sid: 5002530; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x10 - KDC has no support for padata type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x10 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002531; sid: 5002531; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x11 - KDC has no support for transited type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x11 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002532; sid: 5002532; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x12 - Clients credentials have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x12 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002533; sid: 5002533; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x13 - Credentials for server have been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x13 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002534; sid: 5002534; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x14 - TGT has been revoked [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x14 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002535; sid: 5002535; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x15 - Client not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x15 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002536; sid: 5002536; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x16 - Server not yet valid - try again later [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x16 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002537; sid: 5002537; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x17 - Password has expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x17 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002538; sid: 5002538; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x18 - Pre-authentication information was invalid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x18 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002539; sid: 5002539; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x19 - Additional pre-authentication required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x19 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002540; sid: 5002540; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x1F - Integrity check on decrypted field failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x1F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002541; sid: 5002541; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x20 - Ticket expired [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x20 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002542; sid: 5002542; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x21 - Ticket not yet valid [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x21 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002543; sid: 5002543; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x22 - Request is a replay [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x22 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002544; sid: 5002544; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x23 - The ticket isn't for us [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x23 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002545; sid: 5002545; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x24 - Ticket and authenticator don't match [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x24 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002546; sid: 5002546; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x25 - Clock skew too great [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x25 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002547; sid: 5002547; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x26 - Incorrect net address [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x26 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002548; sid: 5002548; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x27 - Protocol version mismatch [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x27 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002549; sid: 5002549; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x28 - Invalid msg type [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x28 "; classtype: unsuccessful-user; program: Security; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002550; sid: 5002550; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x29 - Message stream modified [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x29 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002551; sid: 5002551; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2A - Message out of order [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2A "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002552; sid: 5002552; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2C - Specified version of key is not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002553; sid: 5002553; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2D - Service key not available [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002554; sid: 5002554; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2E - Mutual authentication failed [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2E "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002555; sid: 5002555; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x2F - Incorrect message direction [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x2F "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002556; sid: 5002556; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x30 - Alternative authentication method required [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x30 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002557; sid: 5002557; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x31 - Incorrect sequence number in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x31 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002558; sid: 5002558; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x32 - Inappropriate type of checksum in message [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x32 "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002559; sid: 5002559; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3C - Generic error [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3C "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002560; sid: 5002560; rev:1;) #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-BLACKLIST] Windows DC Login failure from a blacklisted IP - Brute force 0x3D - Field is too long for this implementation [25/1]"; pcre: "/ 675: | 676: | 681: | 4771: | 4768: /"; content: " 0x3D "; classtype: unsuccessful-user; program: Security*; flowbits: set,brute_force,86400; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; parse_src_ip: 1; blacklist: by_src; reference: url,wiki.quadrantsec.com/bin/view/Main/5002561; sid: 5002561; rev:1;) rules/honeyd.rules0000664000175000017500000001056712612177151013532 0ustar champchamp# Sagan honeyd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Added by Robert Nunley (rnunley@quadantsec.com) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HONEYD] Connection made to honeypot"; content: "tcp"; program: honeydconnect; parse_src_ip: 1; parse_dst_ip: 2; classtype: suspicious-traffic; flowbits: set, honeypot, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5001846; sid: 5001846; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[HONEYD] Attempt to login to honeypot Telnet server [0/10]"; content: "Attempted "; program: honeyd; threshold type limit, track by_src, count 10, 300 seconds; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, honeypot, 86400; classtype: attempted-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001847; sid: 5001847; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[HONEYD] Attempt to login to honeypot Telnet server as admin user [0/10]"; content: "Attempted "; pcre: "/root | admin/"; program: honeyd; threshold type limit, track by_src, count 10, 300 seconds; parse_src_ip: 1; parse_dst_ip: 2; flowbits: set, honeypot, 86400; classtype: attempted-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001848; sid: 5001848; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg: "[HONEYD] Attempt to login to honeypot FTP server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydftp; threshold type limit, track by_src, count 10, 300 seconds; flowbits: set, honeypot, 86400; classtype: attempted-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001849; sid: 5001849; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HONEYD] Connection to honeypot IIS server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydwebiis; threshold: type limit, track by_src, count 10, 300 seconds; flowbits: set, honeypot, 86400; classtype: web-application-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5001850; sid: 5001850; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HONEYD] Connection to honeypot Apache server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydwebapache; threshold: type limit, track by_src, count 10, 300 seconds; flowbits: set, honeypot, 86400; classtype: web-application-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5001851; sid: 5001851; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg: "[HONEYD] Connection to honeypot SMTP server [0/10]"; pcre: "/^a-z | ^0-9/"; program: honeydsmtp; threshold: type limit, track by_src, count 10, 300 seconds; flowbits: set, honeypot, 86400; classtype: web-application-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5001852; sid: 5001852; rev:3;) rules/hordeimp.rules0000664000175000017500000000622412612177151014046 0ustar champchamp# Sagan hordeimp.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HORDEIMP] Informational message"; content: "[info]"; classtype: unknown; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000371; sid:5000371; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HORDEIMP] Notice message"; content: "[notice]"; classtype: unknown; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000263; sid:5000263; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HORDEIMP] Error message"; content: "[error]"; classtype: network-event; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000372; sid:5000372; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HORDEIMP] Emergency message"; content: "[emergency]"; classtype: network-event; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000369; sid:5000369; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HORDEIMP] IMP successful login"; content: "Login success for"; classtype: successful-user; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000370; sid:5000370; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[HORDEIMP] Failed login"; content: "FAILED LOGIN"; classtype: unsuccessful-user; program: HORDE; reference: url,wiki.quadrantsec.com/bin/view/Main/5000368; sid:5000368; rev:2;) rules/nfcapd-malware.rules0000664000175000017500000001136012612177151015115 0ustar champchamp# Sagan nfcapd-malware.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # ############################################################################## # These rules are intended to catch malware via the NetFlow protocol. This # requires that your system has "nfdump" tools install. In particular, the # Quadrant modified "nfdump", that allows the program "nfcapd" to receive # decode and send to the Sagan FIFO Netflow data. # # For more information see: # # https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganNetflow # Example log string sent to the FIFO from the modified "nfcapd": # source_ip: 10.10.0.1/80, destination_ip: 173.165.207.65/16464, protocol: UDP, duration: 5.400, flags: |.AP.SF|, tos: 0, packets: 312, bytes: 4222451716, last_time: 2013-11-30 01:10:24, vlan_src: 32767, vlan_dst: 0 alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16464 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16464, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001853; sid: 5001853; rev: 4;) alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16465 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16465, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001854; sid: 5001854; rev: 4;) alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[NFCAPD] Netflow - ZeroAccess UDP port 16470 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16470, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001855; sid: 5001855; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[NFCAPD-MALWARE] Netflow - ZeroAccess UDP port 16471 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " UDP,"; content: "/16471, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001856; sid: 5001856; rev: 4;) # Older TCP port 13620 (pre-Q2 2012) alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[NFCAPD-MALWARE] Netflow - Old ZeroAccess TCP port 13620 detected [5/5]"; program: nfcapd; normalize: nfcapd; content: " TCP,"; content: "/13620, p"; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 120; after: track by_src, count 5, seconds 300; reference: url, wiki.quadrantsec.com/bin/view/Main/5001857; sid: 5001857; rev: 3;) rules/fortinet-correlated.rules0000664000175000017500000000631112612177151016210 0ustar champchamp# Sagan fortinet-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Login accepted after suspicious activity"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002371; sid:5002371; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Administrator Login after suspicious activity"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002372; sid:5002372; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] Admin authentication success after suspicious activity"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; reference: url,wiki.quadrantsec.com/bin/view/Main/5002373; sid:5002373; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-CORRELATED] SSH traffic detected after suspicious activity"; content: " service=SSH "; content:!"duration=0 sentbyte=0 rcvdbyte=0"; flowbits: isset,by_src,recon|honeypot; classtype: correlated-attack; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002374; sid:5002374; rev:3;) rules/bash.rules0000664000175000017500000003337712612177151013165 0ustar champchamp# Sagan bash.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # The following rules require bash to be compiled with syslog history support. With out this, there is no way # for sagan to "see" what users type. For more information, see: # # http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/ # # Gentoo users can rebuild bash with the "logger" USE flag. # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] ./a.out execution attempt"; content:"./a.out"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000000; program: bash|-bash|sh|-sh; sid:5000000; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] gcc execution"; content:"gcc "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000001; program: bash|-bash|sh|-sh; sid:5000001; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] telnet execution"; content:"telnet "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000002; program: bash|-bash|sh|-sh; sid:5000002; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] nmap execution"; content:"nmap "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000003; program: bash|-bash|sh|-sh; sid:5000003; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/passwd access"; content:"/etc/passwd"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000004; program: bash|-bash|sh|-sh; sid:5000004; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/shadow access"; content:"/etc/shadow"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000005; program: bash|-bash|sh|-sh; sid:5000005; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] make execution"; content:"make"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000006; program: bash|-bash|sh|-sh; sid:5000006; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] make execution"; content:"make "; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000007; program: bash|-bash|sh|-sh; sid:5000007; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /bin/sh command line call"; content:"/bin/sh"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000008; program: bash|-bash|sh|-sh; sid:5000008; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /bin/bash command line call"; content:"/bin/bash"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000009; program: bash|-bash|sh|-sh; sid:5000009; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] HISTORY=/dev/null"; content:"HISTORY=/dev/null"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000010; program: bash|-bash|sh|-sh; sid:5000010; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] .bash_history access"; content:".bash_history"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000011; program: bash|-bash|sh|-sh; sid:5000011; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /tmp/sh access"; content:"/tmp/sh"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000012; program: bash|-bash|sh|-sh; sid:5000012; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] suidperl access"; content:"suidperl"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000013; program: bash|-bash|sh|-sh; sid:5000013; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] histfile=/dev/null"; content:"histfile=/dev/null"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000014; program: bash|-bash|sh|-sh; sid:5000014; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] iptables command access"; content:"iptables"; content: "HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000385; program: bash|-bash|sh|-sh; sid:5000385; rev:4;) # CVS-2014-6271 (09/24/2014 - Champ Clark III) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Remote execution attempt via CVE-2014-6271"; content:"|28 29| { |3a 3b|}"; content: "HISTORY"; program: bash|-bash|sh|-sh; classtype: exploit-attempt; flowbits: set, exploit_attempt, 86400; reference: url,wiki.quadrantsec.com/bin/view/Main/5002179; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002179; rev:2;) # Submitted by Aleksey Chudov (07/14/2015). alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; pcre:"/\s+(HISTFILE|HISTFILESIZE|HISTSIZE)/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] History hiding"; content:"HISTORY"; pcre:"/\s+history\s+(-\w+\s+)*-\w*(c|d|w)/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] .mysql_history access"; content:"HISTORY"; content:".mysql_history"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002305; rev:1;); alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Netcat execution"; content:"HISTORY"; pcre:"/\s+(nc|ncat|netcat)\s+/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002306; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Python socket execution"; content:"HISTORY"; content:"python"; content:"socket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002307; rev:1;); alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Python subproces execution"; content:"HISTORY"; content:"python"; content:"subproces"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002308; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] PHP socket execution"; content:"HISTORY"; content:"php"; content:"sock"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002309; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] PHP subproces execution"; content:"HISTORY"; content:"php"; content:"exec"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Perl socket execution"; content:"HISTORY"; content:"perl"; content:"ocket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002311; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Perl subproces execution"; content:"HISTORY"; content:"perl"; content:"fork"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Ruby socket execution"; content:"HISTORY"; content:"ruby"; content:"ocket"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002313; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] Ruby subproces execution"; content:"HISTORY"; content:"ruby"; content:"exec"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] mknod execution [FLOWBIT SET]"; content:"HISTORY"; content:"mknod"; flowbits:set,mknod_executed,60; flowbits:noalert; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002315; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] telnet reverse shell execution"; content:"HISTORY"; content:"telnet"; flowbits:isset,by_src,mknod_executed; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002316; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /dev/tcp access"; content:"HISTORY"; content:"/dev/tcp"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002317; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /dev/udp access"; content:"HISTORY"; content:"/dev/udp"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002318; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] csh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?csh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002319; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] ksh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?ksh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002320; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] tcsh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?tcsh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002321; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] zsh shell execution"; content:"HISTORY"; pcre:"/\s+((\/usr)?\/s?bin\/)?zsh/"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002322; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] stunnel execution"; content:"HISTORY"; content:"stunnel"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002323; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH agent forwarding"; content:"HISTORY"; content:"ssh"; content:"-A"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002324; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH dynamic forwarding"; content:"HISTORY"; content:"ssh"; content:"-D"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002325; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH GSSAPI forwarding"; content:"HISTORY"; content:"ssh"; content:"-K"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002326; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH local forwarding"; content:"HISTORY"; content:"ssh"; content:"-L"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002327; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH remote forwarding"; content:"HISTORY"; content:"ssh"; content:"-R"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002328; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH input and output forwarding"; content:"HISTORY"; content:"ssh"; content:"-W"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002329; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH tunnel forwarding"; content:"HISTORY"; content:"ssh"; content:"-w"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002330; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 forwarding"; content:"HISTORY"; content:"ssh"; content:"-X"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002331; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] SSH X11 trusted forwarding"; content:"HISTORY"; content:"ssh"; content:"-Y"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002332; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] LD_PRELOAD environment variable access"; content:"HISTORY"; content:"LD_PRELOAD"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002333; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] LD_LIBRARY_PATH environment variable access"; content:"HISTORY"; content:"LD_LIBRARY_PATH"; classtype:suspicious-command; program:bash|-bash|sh|-sh; sid:5002334; rev:1;) # Rules added by Brian Echeverry ( becheverry@quadrantsec.com) - 10/21/2015 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] root password change attempt"; content:"passwd"; content:"root"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5002565; program: bash|-bash|sh|-sh; sid:5002565; rev:1;) rules/zeus.rules0000664000175000017500000000625612612177151013232 0ustar champchamp# Sagan zeus.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Authentication failure"; content: "Authentication failure"; classtype: unsuccessful-user; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000279; sid: 5000279; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Configuration warning [ignored]"; content: "Unknown directive; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000280; sid: 5000280; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Informational message"; pcre: "/^[\S+ \S+] INFO|^[\S+ \S+] SSL/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000281; sid: 5000281; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Warning message"; pcre: "/^[\S+ \S+] WARN/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000282; sid: 5000282; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Serious message"; pcre: "/^[\S+ \S+] SERIOUS/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000283; sid: 5000283; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZEUS] Fatal message"; pcre: "/^[\S+ \S+] FATAL/"; classtype: system-event; program: zeus; reference: url,wiki.quadrantsec.com/bin/view/Main/5000284; sid: 5000284; rev:1;) rules/cisco-cucm.rules0000664000175000017500000000624212612177151014264 0ustar champchamp# Sagan cisco-cucm.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # These rules are for the Cisco Unified Call Manager (VoIP) systems. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Call Manager Telephony Subsystem Shutdown"; content: "SS_SHUTDOWN"; content: "CMT subsystem"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001709; sid: 5001709; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Call Manager Telephony Subsystem ModuleStop"; content: "ModuleStop"; content: "CMT Subsystem"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001710; sid: 5001710; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Grammar Manager Telephony Subsystem ModuleStop"; content: "ModuleStop"; content: "Grammar Manager"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001711; sid: 5001711; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Cisco Unified CCX MGR Shutdown"; content: "MGR_SHUTDOWN"; content: "Cisco Unified CCX"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001712; sid: 5001712; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Socket Manager Telephony Subsystem ModuleStart"; content: "ModuleStart"; content: "Socket Manager"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001713; sid: 5001713; rev:1;) rules/ssh-tectia-server.rules0000664000175000017500000000441612612177151015610 0ustar champchamp# Sagan ssh-tectia-server.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER] Authentication Failure - Brute force [5/5]"; content: "Login_failure"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001877; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; sid: 5001877; rev:1;) rules/windows-owa.rules0000664000175000017500000000711312612177151014513 0ustar champchamp# Sagan windows-owa.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # OWA "reason" codes: # # reason=0 Nothing # reason=1 You've successfully signed out of Outlook Web App. Please close all browser windows. # reason=2 The user name or password you entered isn't correct. Try entering it again. # reason=3 Your session has timed out. To protect your account from unauthorized access, the connection to # your mailbox is closed after a period of inactivity. Please re-enter your user name and password. # reason=4 Your password has been changed. You can now sign in with your new password. # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:32 10.1.2.1 GET /owa/auth/logon.aspx replaceCurrent=1&reason=2&url=https%3a%2f%2fwebmail.example.org%2fowa%2f 443 - 12.12.12.12 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) cookieTest=1;+OutlookSession=ba7a32d49c144484d9fb790bd1f;+PBack=0;+tzid=Eastern+Standard+Time;+owacsdc=1 - 200 0 0 0 # 10.1.2.1|user|notice|notice|0d|2015-04-23|00:39:14|SERVER.local IISWebLog 0 2015-04-23| 00:31:32 10.1.2.1 POST /owa/auth.owa - 443 bob 12.12.12.12 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) OutlookSession=b87b312d49b7441891b1099fb790bd1e;+PBack=0;+tzid=Eastern+Standard+Time;+owacsdc=1 https://webmail.example.org/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fwebmail.example.org%2fowa%2f 401 1 1326 3156 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[WINDOWS-OWA] Login failure - Brute force [25/1]"; content: "/owa/auth/logon.aspx"; nocase; content: "reason=2&"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; after: track by_src, count 25, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; parse_src_ip: 1; parse_dst_ip: 2; reference: url,wiki.quadrantsec.com/bin/view/Main/5002264; sid: 5002264; rev:4;) rules/grsec.rules0000664000175000017500000000530412612177151013340 0ustar champchamp# Sagan grsec.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rule sets are for systems with hardened kernels (PaX/GRSec). If you don't run a hardened kernel, you won't # see these alerts. For more information, see: http://www.grsecurity.net/ alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Time set"; content:"time set by";classtype: not-suspicious; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000029; sid: 5000029; rev:4;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Signal 11 sent"; content:"signal 11 sent";classtype: program-error; parse_src_ip: 1; program: grsec; reference: url,wiki.quadrantsec.com/bin/view/Main/5000030; sid: 5000030; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"GRSEC Denied resource overstep"; content:"denied resource overstep"; classtype: exploit-attempt; program: grsec; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000042; sid: 5000042; rev:2;) rules/artillery.rules0000664000175000017500000001773212612177151014254 0ustar champchamp# Sagan artillery.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # "Artillery" is a project by TrustedSec that monitors, detect & block attacks. It is written in Python # and acts as an HIDS system. Artillery has the ability to write to local or remote syslog servers. These # Sagan rules trigger when Artillery detects something bad. These rules also act as a "gateway" between # Artillery and Snort consoles (Snorby/Sguil/etc). # # From the Artilley Website: "The purpose of Artillery is to provide a combination of a honeypot, file-system # monitoring, system hardening, real-time threat intelligence feeds, and overall health of a server to create a # comprehensive way to secure a system. # # Artillery is written by Dave Kennedy and the TrustedSec crew (@HackingDave / @TrustedSec). For more # information about Artillery, see https://www.trustedsec.com/downloads/artillery/ # # Alerts on anything from the program "Artillery". #alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] General Artillery Message"; classtype: suspicious-traffic; program: Artillery; parse_src_ip: 1; parse_dst_ip: 2; parse_proto; reference: url,wiki.quadrantsec.com/bin/view/Main/5002080; reference: url,www.trustedsec.com/downloads/artillery; sid:5002080; rev:1;) # ftp_monitor.py # write_log("Artillery has blocked (blacklisted) the following IP for FTP brute forcing violations: " + ipaddress) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[ARTILLERY] FTP brute force violation"; content: "FTP brute forcing"; flowbits: set,brute_force,86400; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002081; reference: url,www.trustedsec.com/downloads/artillery; sid:5002081; rev:3;) # harden.py # Issue identified: %s permissions are not set to root. If an attacker compromises the system and is running under the Apache user account, could view these files. Recommendation: Change the permission of %s to root:root. Command: chown root:root %s\n\n" % (filename,filename,filename) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - Permissions not set as root"; content: "not set to root"; content: "Issue identified|3a|"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002082; reference: url,www.trustedsec.com/downloads/artillery; sid:5002082; rev:2;) # harden.py # Issue identified: /etc/vsftpd.conf allows Anonymous login. An attacker can gain a foothold to the system with absolutel zero effort. Recommendation: Change anonymous_enable yes to anonymous_enable no\n\n" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - vsftp.conf Anonymous FTP allowed"; content: "vsftpd.conf allows Anonymous login"; content: "Issue identified|3a|"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002083; reference: url,www.trustedsec.com/downloads/artillery; sid:5002083; rev:2;) # harden.py # Issue identified: /etc/ssh/sshd_config. SSH is running on the default port 22. An attacker commonly scans for these type of ports. Recommendation: Change the port to something high that doesn't get picked up by typical port scanners.\n\n" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - SSH running on default TCP port 22"; content: "Issue identified|3a|"; content: "SSH is running on the default port 22"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002084; reference: url,www.trustedsec.com/downloads/artillery; sid:5002084; rev:1;) # harden.py # Issue identified: /etc/ssh/sshd_config allows RootLogin. An attacker can gain root access to the system if password is guessed. Recommendation: Change RootLogin yes to RootLogin no\n\n" alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Issue identified - sshd_config allows RootLogin"; content: "sshd_config allows RootLogin"; content: "Issue identified|3a|"; classtype: configuration-error; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002085; reference: url,www.trustedsec.com/downloads/artillery; sid:5002085; rev:2;) # honeypot.py # %s [!] Artillery has blocked (and blacklisted) the IP Address: %s for connecting to a honeypot restricted port: %s" % (now, ip, port) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport blocked/blacklisted address"; content: "honeypot restricted port"; content: "blocked"; parse_src_ip: 1; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002086; reference: url,www.trustedsec.com/downloads/artillery; sid:5002086; rev:2;) # honeypot.py # %s [!] Artillery has detected an attack from IP address: %s for a connection on a honeypot port: %s" % (now, ip, port) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] Honeyport attack detected"; content: "detected an attack"; content: "honeypot"; parse_src_ip: 1; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002087; reference: url,www.trustedsec.com/downloads/artillery; sid:5002087; rev:1;) # monitor.py # output_file = "********************************** The following changes were detect at %s **********************************\n" % (datetime.datetime.now()) + output_file + "\n********************************** End of changes. **********************************\n\n" # warn_the_good_guys(subject, output_file) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARTILLERY] File changes have occured"; content: "following changes were detect"; classtype: suspicious-traffic; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002088; reference: url,www.trustedsec.com/downloads/artillery; sid:5002088; rev:1;) # ssh_monitor.py # alert = "Artillery has blocked (blacklisted) the following IP for SSH brute forcing violations: " + ipaddress alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[ARTILLERY] SSH brute force violation"; content: "SSH brute forcing violations"; classtype: unsuccessful-user; parse_src_ip: 1; program: Artillery; reference: url,wiki.quadrantsec.com/bin/view/Main/5002089; reference: url,www.trustedsec.com/downloads/artillery; sid:5002089; rev:1;) rules/fortinet-malware.rules0000664000175000017500000000754412612177151015525 0ustar champchamp# Sagan fortinet-malware.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Added by Champ Clark - Theres detect ZeroAccess 11/12/2013 alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16464 detected [5/5]"; content: "dst_port=16464"; content: "UDP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001786; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001786; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16465 detected [5/5]"; content: "dst_port=16465"; content: "UDP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001787; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001787; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16470 detected [5/5]"; content: "dst_port=16470"; content: "UDP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001788; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001788; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[FORTINET-MALWARE] ZeroAccess UDP port 16471 detected [5/5]"; content: "dst_port=16471"; content: "UDP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001789; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001789; rev: 3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[FORTINET-MALWARE] Older ZeroAccess TCP port 13620 detected [5/5]"; content: "dst_port=13620"; content: "TCP"; classtype: suspicious-traffic; reference: url, wiki.quadrantsec.com/bin/view/Main/5001867; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001867; rev: 2;) rules/linux-kernel-normalize.rulebase0000664000175000017500000000666012612177151017326 0ustar champchamp# Sagan linux-kernel-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # Rulebase notes: # # iptables TCP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) # # # [6251572.861709] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9133 DF PROTO=TCP SPT=50661 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% %-:word% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% # iptables UDP : iptables flags "--state NEW,INVALID -j LOG" (NOTE: no --prefix!) # # [6252395.294134] IN=fire OUT=fire PHYSIN=eth1 PHYSOUT=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=78 TOS=0x00 PREC=0x00 TTL=50 ID=8658 DF PROTO=UDP SPT=137 DPT=137 LEN=52 # [6255730.106539] IN=fire OUT=fire PHYSIN=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=76 TOS=0x00 PREC=0xC0 TTL=63 ID=34162 PROTO=UDP SPT=123 DPT=123 LEN=56 # [6256275.991117] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:word% ID=%-:number% PROTO=%-:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest% rules/windows-geoip.rules0000664000175000017500000001050712612177151015031 0ustar champchamp# Sagan windows-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-GEOIP] Windows Logon outside of HOME_COUNTRY"; pcre: "/ 540: | 4624: /"; classtype: successful-user; program: Security*; parse_src_ip: 1; parse_port; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5001873; sid: 5001873; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] RDP / Logon type 10 from outside HOME_COUNTRY "; pcre: "/ 528: | 4624: /"; content: "Logon Type|3a| 10 "; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002016; sid: 5002016; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Logon attempt using explicit credentials from outside HOME_COUNTRY"; pcre: "/ 552: | 4648: /"; content:!"Network Address|3a| - "; content:!"Port|3a| - "; content:!"Target Server Name|3a| localhost"; program: Security*; parse_src_ip: 1; country_code: track by_src, isnot $HOME_COUNTRY; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002020; sid: 5002020; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Network Cleartext from outside HOME_COUNTRY "; pcre: "/ 540: | 4624: /"; content: "Logon Type|3a| 8 "; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002337; sid: 5002337; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002338; sid: 5002338; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Windows RDP Session Disconnected from outside HOME_COUNTRY "; pcre: "/ 683: | 4779: /"; content: "Session"; content: "RDP"; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002339; sid: 5002339; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-GEOIP] Explicit Windows Logon "; pcre: "/ 552: | 4648: /"; content: "Target"; content: "Process"; country_code: track by_src, isnot $HOME_COUNTRY; program: Security*; parse_src_ip: 1; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002340; sid: 5002340; rev:1;) rules/vsftpd-correlated.rules0000664000175000017500000000462612612177151015673 0ustar champchamp# Sagan vsftpd-correlated.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD-CORRELATED] Authentication successful from outside HOME_COUNTRY"; content: "OK LOGIN"; classtype: correlated-attack; program: vsftpd; flowbits: isset,by_src,recon|honeypot; reference: url,wiki.quadrantsec.com/bin/view/Main/5002389; sid:5002389; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[VSFTPD-CORRELATED] File uploaded from outside HOME_COUNTRY"; content: "OK UPLOAD"; classtype: correlated-attack; flowbits: isset,by_src,recon|honeypot; program: vsftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5002390; sid:5002390; rev:1;) rules/windows-emet.rules0000664000175000017500000000662112612177151014662 0ustar champchamp# Sagan windows-applocker.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Windows EMET rules # # See http://support.microsoft.com/kb/2458544 for more information on EMET # # Eventlog to syslog service. This is what we primarily use. # http://code.google.com/p/eventlog-to-syslog/ # # Champ Clark (08/20/2014) # 10.5.1.1|daemon|err|err|1b|2014-08-19|23:03:56|EMET| 2: EMET detected Caller mitigation and will close the application: chrome.exe Caller check failed: Application : C:\Program Files\Google\Chrome\Application\chrome.exe User Name : Champ-BOX\champ Session ID : 1 PID : 0xBFC (3068) TID : 0xBE8 (3048) API Name : kernel32.LoadLibraryW ReturnAddress : 0x5BE777AC CalledAddress : 0x769FEFF2 StackPtr : 0x0031E51C alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-EMET] Detected Caller mitigation/will close application"; content: " 2|3a| "; classtype: suspicious-command; program: EMET; reference: url,wiki.quadrantsec.com/bin/view/Main/5002101; sid:5002101; rev:1;) # 10.5.1.1|daemon|notice|notice|1d|2014-08-20|12:03:23|Security-Auditing| 4689: A process has exited. Subject: Security ID: S-1-5-21-148272361-2449339356-1462517947-1000 Account Name: champ Account Domain: Champ-BOX Logon ID: 0x1a285 Process Information: Process ID: 0x120 Process Name: C:\Program Files\EMET 4.1\EMET_Agent.exe Exit Status: 0x40010004 alert syslog $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-EMET] EMET process stopped, but not due to reboot"; pcre: "/ 4689: | 593: /" ; content: "EMET_Agent.exe"; nocase; flowbits: isnotset, by_src, windows_reboot; program: Security-Auditing|Security; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002102; sid:5002102; rev:1;) rules/postgresql.rules0000664000175000017500000000733212612177151014443 0ustar champchamp# Sagan postgresql.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Log message"; content: "LOG"; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000229; sid: 5000229; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Informational message"; pcre: "/NOTICE|INFO/"; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000373; sid: 5000373; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Error message"; content: "ERROR"; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000230; sid: 5000230; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Fatal error message"; content: "FATAL"; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000231; sid: 5000231; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Debug message"; content: "DEBUG"; classtype: program-error; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000232; sid: 5000232; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Database authentication success"; content: "connection authorized"; classtype: successful-user; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000233; sid: 5000233; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Database authentication failure"; content: "authentication failed"; classtype: unsuccessful-user; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000234; sid: 5000234; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg: "[POSTGRESQL] Database shutdown message"; pcre: "/terminating connection due|aborting any active transactions|shutting down/i"; classtype: not-suspicious; program: postgres; reference: url,wiki.quadrantsec.com/bin/view/Main/5000235; sid: 5000235; rev:1;) rules/milter.rules0000664000175000017500000000512112612177151013526 0ustar champchamp# Sagan milter.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] Milter error state"; content:"Milter"; content:"to error state";classtype: program-error; program: sm-mta; reference: url,wiki.quadrantsec.com/bin/view/Main/5000038; sid: 5000038; rev:2;) #alert syslog $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] Mimedefang - No response from slave"; content: "No response from slave"; classtype: program-error; program: mimedefang; reference: url,wiki.quadrantsec.com/bin/view/Main/5000039; sid: 5000039; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET $SMTP_PORT (msg:"[MILTER] SMF-SAV sendmail milter unable to verify"; pcre: "/sender check failed|sender check tempfailed/i"; classtype: program-error; program: smf-sav; reference: url,wiki.quadrantsec.com/bin/view/Main/5000143; sid: 5000143; rev:2;) rules/citrix-blacklist.rules0000664000175000017500000000600212612177151015501 0ustar champchamp# Sagan citrix-blacklist.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Citrix applicances/devices/software # Login from blacklisted IP (Champ Clark / 04/01/2015) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] Login from outside blacklisted IP"; content: "SSLVPN LOGIN"; classtype: unsuccessful-user; parse_src_ip: 1; parse_dst_ip: 2; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002261; sid: 5002261; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] AAA LOGIN_FAILED from blacklisted IP"; content: "AAA LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002281; sid:5002281; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[CITRIX-BLACKLIST] SSLVPN HTTPREQUEST from blacklisted IP"; content: "SSLVPN HTTPREQUEST"; classtype: unsuccessful-user; parse_src_ip: 1; normalize: citrix; blacklist: by_src; fwsam: src, 1 day; reference: url,support.citrix.com/article/CTX123875; reference: url,wiki.quadrantsec.com/bin/view/Main/5002285; sid:5002285; rev:1;) rules/riverbed-geoip.rules0000664000175000017500000000455212612177151015144 0ustar champchamp# Sagan riverbed-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # SSH logins are covered for Riverbed via the openssh.rules and openssh-geoip.rules # Champ Clark (04/15/2014) # 10.3.1.1|local1|notice|notice|8d|2014-04-16|13:41:29|webasd| [web.NOTICE]: web: User bob logged in from 10.7.8.1, session count: 1. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg:"[RIVERBED-GEOIP] Administrator Login outside of HOME_COUNTRY"; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; country_code: track by_src, isnot $HOME_COUNTRY; reference: url,wiki.quadrantsec.com/bin/view/Main/5002032; program: webasd; sid: 5002032; rev:2;) rules/ossec-mi.rules0000664000175000017500000060256012612177151013763 0ustar champchamp## ## OSSEC SAGAN RULES (autogenerated) ## ## Sagan is: ## Copyright (c) 2009-2015, Quadrant Information Security ## All rights reserved. ## ## Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list ## ##************************************************************* ## Redistribution and use in source and binary forms, with or without modification, are permitted provided that the ## following conditions are met: ## ## * Redistributions of source code must retain the above copyright notice, this list of conditions and the following ## disclaimer. ## * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the ## following disclaimer in the documentation and/or other materials provided with the distribution. ## * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived ## from this software without specific prior written permission. ## ## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, ## INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, ## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE ## USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ## ##************************************************************* ## These rules were autogenerated from ossec rules using the ossec-sagan.pl script. ## OSSEC and its supplied rules are: ## ## Copyright (C) 2009 Trend Micro Inc. ## All rights reserved. ## ## This program is a free software; you can redistribute it ## and/or modify it under the terms of the GNU General Public ## License (version 2) as published by the FSF - Free Software ## Foundation. ## ## License details: http://www.ossec.net/en/licensing.html ## ## Rule group: attack_rules.xml:syslog,attacks ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple authentication failures. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40111 "; classtype: exploit-attempt; program: ossec; sid: 6040111; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Buffer overflow attack on rpc.statd (attack_rules.xml:syslog,attacks)"; content: "Rule: 40102 "; classtype: exploit-attempt; program: ossec; sid: 6040102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - System user successfully logged to the system. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40101 "; classtype: exploit-attempt; program: ossec; sid: 6040101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple viruses detected - Possible outbreak. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40113 "; classtype: exploit-attempt; program: ossec; sid: 6040113; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Stack overflow attempt or program exiting with SEGV (Solaris). (attack_rules.xml:syslog,attacks)"; content: "Rule: 40109 "; classtype: exploit-attempt; program: ossec; sid: 6040109; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - Possible buffer overflow attempt. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40104 "; classtype: exploit-attempt; program: ossec; sid: 6040104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple authentication failures followed by a success. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40112 "; classtype: exploit-attempt; program: ossec; sid: 6040112; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - "Null" user changed some information. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40105 "; classtype: exploit-attempt; program: ossec; sid: 6040105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Buffer overflow on WU-FTPD versions prior to 2.6 (attack_rules.xml:syslog,attacks)"; content: "Rule: 40103 "; classtype: exploit-attempt; program: ossec; sid: 6040103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Buffer overflow attempt (probably on yppasswd). (attack_rules.xml:syslog,attacks)"; content: "Rule: 40106 "; classtype: exploit-attempt; program: ossec; sid: 6040106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Heap overflow in the Solaris cachefsd service. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40107 "; classtype: exploit-attempt; program: ossec; sid: 6040107; rev:1;) ## Rule group: apache_rules.xml:apache ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache)"; content: "Rule: 30110 "; classtype: system-event; program: ossec; sid: 6030110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Modsecurity alert. (apache_rules.xml:apache)"; content: "Rule: 30200 "; classtype: system-event; program: ossec; sid: 6030200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Attempt to login using a non-existent user. (apache_rules.xml:apache)"; content: "Rule: 30109 "; classtype: system-event; program: ossec; sid: 6030109; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30100 "; classtype: tcp-connection; program: ossec; sid: 6030100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30202 "; classtype: exploit-attempt; program: ossec; sid: 6030202; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache warn messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30102 "; classtype: tcp-connection; program: ossec; sid: 6030102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Invalid URI (bad client request). (apache_rules.xml:apache)"; content: "Rule: 30115 "; classtype: system-event; program: ossec; sid: 6030115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Apache without resources to run. (apache_rules.xml:apache)"; content: "Rule: 30120 "; classtype: exploit-attempt; program: ossec; sid: 6030120; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Access attempt blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30118 "; classtype: system-event; program: ossec; sid: 6030118; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Apache segmentation fault. (apache_rules.xml:apache)"; content: "Rule: 30104 "; classtype: exploit-attempt; program: ossec; sid: 6030104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache)"; content: "Rule: 30108 "; classtype: system-event; program: ossec; sid: 6030108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30119 "; classtype: exploit-attempt; program: ossec; sid: 6030119; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access forbidden file or directory. (apache_rules.xml:apache)"; content: "Rule: 30105 "; classtype: system-event; program: ossec; sid: 6030105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access forbidden directory index. (apache_rules.xml:apache)"; content: "Rule: 30106 "; classtype: system-event; program: ossec; sid: 6030106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Modsecurity access denied. (apache_rules.xml:apache)"; content: "Rule: 30201 "; classtype: system-event; program: ossec; sid: 6030201; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache notice messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30103 "; classtype: tcp-connection; program: ossec; sid: 6030103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Attempt to access an non-existent file (those are reported on the access.log). (apache_rules.xml:apache)"; content: "Rule: 30112 "; classtype: tcp-connection; program: ossec; sid: 6030112; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Invalid URI requests from same source. (apache_rules.xml:apache)"; content: "Rule: 30116 "; classtype: exploit-attempt; program: ossec; sid: 6030116; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Code Red attack. (apache_rules.xml:apache)"; content: "Rule: 30107 "; classtype: system-event; program: ossec; sid: 6030107; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache error messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30101 "; classtype: tcp-connection; program: ossec; sid: 6030101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Invalid URI, file name too long. (apache_rules.xml:apache)"; content: "Rule: 30117 "; classtype: exploit-attempt; program: ossec; sid: 6030117; rev:1;) ## Rule group: rules_config.xml:squid ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all web proxy rules. (rules_config.xml:squid)"; content: "Rule: 05 "; classtype: tcp-connection; program: ossec; sid: 6000005; rev:1;) ## Rule group: web_rules.xml:web,accesslog ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SQL injection attempts from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31152 "; classtype: exploit-attempt; program: ossec; sid: 6031152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog)"; content: "Rule: 31161 "; classtype: exploit-attempt; program: ossec; sid: 6031161; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SQL injection attempt. (web_rules.xml:web,accesslog)"; content: "Rule: 31103 "; classtype: system-event; program: ossec; sid: 6031103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 500 error code (server error). (web_rules.xml:web,accesslog)"; content: "Rule: 31120 "; classtype: system-event; program: ossec; sid: 6031120; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored URLs for the web attacks (web_rules.xml:web,accesslog)"; content: "Rule: 31107 "; classtype: tcp-connection; program: ossec; sid: 6031107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - A web attack returned code 200 (success). (web_rules.xml:web,accesslog)"; content: "Rule: 31106 "; classtype: system-event; program: ossec; sid: 6031106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Mutiple web server 400 error codes from same source ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31151 "; classtype: exploit-attempt; program: ossec; sid: 6031151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 500 error code (Internal Error). (web_rules.xml:web,accesslog)"; content: "Rule: 31122 "; classtype: system-event; program: ossec; sid: 6031122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - URL too long. Higher than allowed on most browsers. Possible attack. (web_rules.xml:web,accesslog)"; content: "Rule: 31115 "; classtype: exploit-attempt; program: ossec; sid: 6031115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 500 error code (Internal Error). (web_rules.xml:web,accesslog)"; content: "Rule: 31162 "; classtype: exploit-attempt; program: ossec; sid: 6031162; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 400 error code. (web_rules.xml:web,accesslog)"; content: "Rule: 31101 "; classtype: system-event; program: ossec; sid: 6031101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple common web attacks from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31153 "; classtype: exploit-attempt; program: ossec; sid: 6031153; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored URLs (simple queries). (web_rules.xml:web,accesslog)"; content: "Rule: 31108 "; classtype: tcp-connection; program: ossec; sid: 6031108; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog)"; content: "Rule: 31123 "; classtype: not-suspicious; program: ossec; sid: 6031123; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - XSS (Cross Site Scripting) attempt. (web_rules.xml:web,accesslog)"; content: "Rule: 31105 "; classtype: system-event; program: ossec; sid: 6031105; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Access log messages grouped. (web_rules.xml:web,accesslog)"; content: "Rule: 31100 "; classtype: tcp-connection; program: ossec; sid: 6031100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple XSS (Cross Site Scripting) attempts from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31154 "; classtype: exploit-attempt; program: ossec; sid: 6031154; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Common web attack. (web_rules.xml:web,accesslog)"; content: "Rule: 31104 "; classtype: system-event; program: ossec; sid: 6031104; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog)"; content: "Rule: 31121 "; classtype: not-suspicious; program: ossec; sid: 6031121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog)"; content: "Rule: 31163 "; classtype: exploit-attempt; program: ossec; sid: 6031163; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring google/msn/yahoo bots. (web_rules.xml:web,accesslog)"; content: "Rule: 31140 "; classtype: tcp-connection; program: ossec; sid: 6031140; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored extensions on 400 error codes. (web_rules.xml:web,accesslog)"; content: "Rule: 31102 "; classtype: tcp-connection; program: ossec; sid: 6031102; rev:1;) ## Rule group: named_rules.xml:syslog,named ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Serial number from master is lower than stored. (named_rules.xml:syslog,named)"; content: "Rule: 12110 "; classtype: system-event; program: ossec; sid: 6012110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Invalid DNS packet. Possibility of attack. (named_rules.xml:syslog,named)"; content: "Rule: 12101 "; classtype: exploit-attempt; program: ossec; sid: 6012101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the named rules (named_rules.xml:syslog,named)"; content: "Rule: 12100 "; classtype: tcp-connection; program: ossec; sid: 6012100; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - DNS update denied. Generally mis-configuration. (named_rules.xml:syslog,named)"; content: "Rule: 12103 "; classtype: not-suspicious; program: ossec; sid: 6012103; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Log permission misconfiguration in Named. (named_rules.xml:syslog,named)"; content: "Rule: 12104 "; classtype: not-suspicious; program: ossec; sid: 6012104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Unable to perform zone transfer. (named_rules.xml:syslog,named)"; content: "Rule: 12111 "; classtype: system-event; program: ossec; sid: 6012111; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Named fatal error. DNS service going down. (named_rules.xml:syslog,named)"; content: "Rule: 12109 "; classtype: exploit-attempt; program: ossec; sid: 6012109; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Query cache denied (maybe config error). (named_rules.xml:syslog,named)"; content: "Rule: 12108 "; classtype: not-suspicious; program: ossec; sid: 6012108; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unexpected error while resolving domain. (named_rules.xml:syslog,named)"; content: "Rule: 12105 "; classtype: not-suspicious; program: ossec; sid: 6012105; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Zone transfer error. (named_rules.xml:syslog,named)"; content: "Rule: 12112 "; classtype: not-suspicious; program: ossec; sid: 6012112; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update using RFC2136 Dynamic protocol. (named_rules.xml:syslog,named)"; content: "Rule: 12107 "; classtype: tcp-connection; program: ossec; sid: 6012107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed attempt to perform a zone transfer. (named_rules.xml:syslog,named)"; content: "Rule: 12102 "; classtype: system-event; program: ossec; sid: 6012102; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - DNS configuration error. (named_rules.xml:syslog,named)"; content: "Rule: 12106 "; classtype: not-suspicious; program: ossec; sid: 6012106; rev:1;) ## Rule group: mailscanner_rules.xml:syslog,mailscanner ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of mailscanner rules. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3700 "; classtype: tcp-connection; program: ossec; sid: 6003700; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Non spam message. Ignored. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3701 "; classtype: tcp-connection; program: ossec; sid: 6003701; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts of spam. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3751 "; classtype: system-event; program: ossec; sid: 6003751; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Mail Scanner spam detected. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3702 "; classtype: system-event; program: ossec; sid: 6003702; rev:1;) ## Rule group: syslog_rules.xml:syslog,squid ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid debug message (syslog_rules.xml:syslog,squid)"; content: "Rule: 9201 "; classtype: tcp-connection; program: ossec; sid: 6009201; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid syslog messages grouped (syslog_rules.xml:syslog,squid)"; content: "Rule: 9200 "; classtype: tcp-connection; program: ossec; sid: 6009200; rev:1;) ## Rule group: solaris_bsm_rules.xml:syslog,solaris_bsm ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6104 "; classtype: system-event; program: ossec; sid: 6006104; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Auditing session succeeded. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6102 "; classtype: tcp-connection; program: ossec; sid: 6006102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Auditing session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6101 "; classtype: system-event; program: ossec; sid: 6006101; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6105 "; classtype: not-suspicious; program: ossec; sid: 6006105; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session succeeded. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6103 "; classtype: not-suspicious; program: ossec; sid: 6006103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User failed to change UID (user id). (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6106 "; classtype: system-event; program: ossec; sid: 6006106; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Solaris BSM Auditing messages grouped. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6100 "; classtype: tcp-connection; program: ossec; sid: 6006100; rev:1;) ## Rule group: syslog_rules.xml:syslog,adduser ## #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Group (or user) deleted from the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5903 "; classtype: not-suspicious; program: ossec; sid: 6005903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - New group added to the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5901 "; classtype: system-event; program: ossec; sid: 6005901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Information from the user was changed (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5904 "; classtype: system-event; program: ossec; sid: 6005904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - New user added to the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5902 "; classtype: system-event; program: ossec; sid: 6005902; rev:1;) ## Rule group: nginx_rules.xml:apache ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Invalid URI, file name too long. (nginx_rules.xml:apache)"; content: "Rule: 31320 "; classtype: exploit-attempt; program: ossec; sid: 6031320; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial 401 authentication request. (nginx_rules.xml:apache)"; content: "Rule: 31312 "; classtype: tcp-connection; program: ossec; sid: 6031312; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Nginx error message. (nginx_rules.xml:apache)"; content: "Rule: 31301 "; classtype: not-suspicious; program: ossec; sid: 6031301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web authentication failures. (nginx_rules.xml:apache)"; content: "Rule: 31316 "; classtype: exploit-attempt; program: ossec; sid: 6031316; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Nginx messages grouped. (nginx_rules.xml:apache)"; content: "Rule: 31300 "; classtype: tcp-connection; program: ossec; sid: 6031300; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Incomplete client request. (nginx_rules.xml:apache)"; content: "Rule: 31311 "; classtype: tcp-connection; program: ossec; sid: 6031311; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Nginx critical message. (nginx_rules.xml:apache)"; content: "Rule: 31303 "; classtype: system-event; program: ossec; sid: 6031303; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Server returned 404 (reported in the access.log). (nginx_rules.xml:apache)"; content: "Rule: 31310 "; classtype: tcp-connection; program: ossec; sid: 6031310; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Nginx warning message. (nginx_rules.xml:apache)"; content: "Rule: 31302 "; classtype: not-suspicious; program: ossec; sid: 6031302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web authentication failed. (nginx_rules.xml:apache)"; content: "Rule: 31315 "; classtype: system-event; program: ossec; sid: 6031315; rev:1;) ## Rule group: postgresql_rules.xml:postgresql_log ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50521 "; classtype: exploit-attempt; program: ossec; sid: 6050521; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL informational message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50502 "; classtype: tcp-connection; program: ossec; sid: 6050502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Database authentication failure. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50512 "; classtype: system-event; program: ossec; sid: 6050512; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL debug message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50505 "; classtype: tcp-connection; program: ossec; sid: 6050505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50520 "; classtype: exploit-attempt; program: ossec; sid: 6050520; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL log message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50501 "; classtype: tcp-connection; program: ossec; sid: 6050501; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL messages grouped. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50500 "; classtype: tcp-connection; program: ossec; sid: 6050500; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50503 "; classtype: not-suspicious; program: ossec; sid: 6050503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50581 "; classtype: exploit-attempt; program: ossec; sid: 6050581; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database authentication success. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50511 "; classtype: not-suspicious; program: ossec; sid: 6050511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50504 "; classtype: system-event; program: ossec; sid: 6050504; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Database query. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50510 "; classtype: tcp-connection; program: ossec; sid: 6050510; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50580 "; classtype: exploit-attempt; program: ossec; sid: 6050580; rev:1;) ## Rule group: rules_config.xml:windows ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all windows rules. (rules_config.xml:windows)"; content: "Rule: 06 "; classtype: tcp-connection; program: ossec; sid: 6000006; rev:1;) ## Rule group: symantec-av_rules.xml:symantec ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virus scan updated,started or stopped. (symantec-av_rules.xml:symantec)"; content: "Rule: 7320 "; classtype: not-suspicious; program: ossec; sid: 6007320; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec AV rules from eventlog. (symantec-av_rules.xml:symantec)"; content: "Rule: 7301 "; classtype: tcp-connection; program: ossec; sid: 6007301; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec AV rules. (symantec-av_rules.xml:symantec)"; content: "Rule: 7300 "; classtype: tcp-connection; program: ossec; sid: 6007300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Virus detected. (symantec-av_rules.xml:symantec)"; content: "Rule: 7310 "; classtype: system-event; program: ossec; sid: 6007310; rev:1;) ## Rule group: syslog_rules.xml:syslog, su ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - User missed the password to change UID to root. (syslog_rules.xml:syslog, su)"; content: "Rule: 5302 "; classtype: system-event; program: ossec; sid: 6005302; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID to root. (syslog_rules.xml:syslog, su)"; content: "Rule: 5303 "; classtype: not-suspicious; program: ossec; sid: 6005303; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time (su) is executed by user. (syslog_rules.xml:syslog, su)"; content: "Rule: 5305 "; classtype: not-suspicious; program: ossec; sid: 6005305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial grouping for su messages. (syslog_rules.xml:syslog, su)"; content: "Rule: 5300 "; classtype: tcp-connection; program: ossec; sid: 6005300; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID. (syslog_rules.xml:syslog, su)"; content: "Rule: 5304 "; classtype: not-suspicious; program: ossec; sid: 6005304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User missed the password to change UID (user id). (syslog_rules.xml:syslog, su)"; content: "Rule: 5301 "; classtype: system-event; program: ossec; sid: 6005301; rev:1;) ## Rule group: syslog_rules.xml:syslog,smartd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Device configured but not available to Smartd (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2803 "; classtype: tcp-connection; program: ossec; sid: 6002803; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Smartd Started but not configured (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2801 "; classtype: tcp-connection; program: ossec; sid: 6002801; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Pre-match rule for smartd. (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2800 "; classtype: tcp-connection; program: ossec; sid: 6002800; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Smartd configuration problem (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2802 "; classtype: tcp-connection; program: ossec; sid: 6002802; rev:1;) ## Rule group: msauth_rules.xml:windows ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Changed (msauth_rules.xml:windows)"; content: "Rule: 18114 "; classtype: system-event; program: ossec; sid: 6018114; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Print Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18238 "; classtype: system-event; program: ossec; sid: 6018238; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Event Log Readers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18255 "; classtype: exploit-attempt; program: ossec; sid: 6018255; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18106 "; classtype: system-event; program: ossec; sid: 6018106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Read-only Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18250 "; classtype: exploit-attempt; program: ossec; sid: 6018250; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows Authorization Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18247 "; classtype: system-event; program: ossec; sid: 6018247; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18233 "; classtype: system-event; program: ossec; sid: 6018233; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Group account added/changed/deleted. (msauth_rules.xml:windows)"; content: "Rule: 18128 "; classtype: system-event; program: ossec; sid: 6018128; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Denied RODC Password Replication Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18254 "; classtype: exploit-attempt; program: ossec; sid: 6018254; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Group of windows rules. (msauth_rules.xml:windows)"; content: "Rule: 18100 "; classtype: tcp-connection; program: ossec; sid: 6018100; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows User Logoff. (msauth_rules.xml:windows)"; content: "Rule: 18149 "; classtype: not-suspicious; program: ossec; sid: 6018149; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18219 "; classtype: exploit-attempt; program: ossec; sid: 6018219; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - MS SQL Server Logon Success. (msauth_rules.xml:windows)"; content: "Rule: 18181 "; classtype: not-suspicious; program: ossec; sid: 6018181; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Guests Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18225 "; classtype: exploit-attempt; program: ossec; sid: 6018225; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Domain Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18223 "; classtype: system-event; program: ossec; sid: 6018223; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18204 "; classtype: system-event; program: ossec; sid: 6018204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - RAS and IAS Servers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18232 "; classtype: exploit-attempt; program: ossec; sid: 6018232; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Incoming Forest Trust Builders Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18244 "; classtype: exploit-attempt; program: ossec; sid: 6018244; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows error event. (msauth_rules.xml:windows)"; content: "Rule: 18103 "; classtype: system-event; program: ossec; sid: 6018103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account's password expired. (msauth_rules.xml:windows)"; content: "Rule: 18136 "; classtype: system-event; program: ossec; sid: 6018136; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Group Policy Creator Owners Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18231 "; classtype: exploit-attempt; program: ossec; sid: 6018231; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18203 "; classtype: system-event; program: ossec; sid: 6018203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Windows DC - Clock skew too great. (msauth_rules.xml:windows)"; content: "Rule: 18172 "; classtype: system-event; program: ossec; sid: 6018172; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Computer account changed/deleted. (msauth_rules.xml:windows)"; content: "Rule: 18127 "; classtype: system-event; program: ossec; sid: 6018127; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Administrators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18217 "; classtype: exploit-attempt; program: ossec; sid: 6018217; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18210 "; classtype: system-event; program: ossec; sid: 6018210; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Application Uninstalled. (msauth_rules.xml:windows)"; content: "Rule: 18146 "; classtype: system-event; program: ossec; sid: 6018146; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - General account database changed. (msauth_rules.xml:windows)"; content: "Rule: 18115 "; classtype: system-event; program: ossec; sid: 6018115; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Distributed COM Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18249 "; classtype: system-event; program: ossec; sid: 6018249; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows audit success event. (msauth_rules.xml:windows)"; content: "Rule: 18104 "; classtype: tcp-connection; program: ossec; sid: 6018104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - User not granted logon type. (msauth_rules.xml:windows)"; content: "Rule: 18135 "; classtype: system-event; program: ossec; sid: 6018135; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account enabled or created. (msauth_rules.xml:windows)"; content: "Rule: 18110 "; classtype: system-event; program: ossec; sid: 6018110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Read-only Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18251 "; classtype: exploit-attempt; program: ossec; sid: 6018251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - User account locked out (multiple login errors). (msauth_rules.xml:windows)"; content: "Rule: 18116 "; classtype: system-event; program: ossec; sid: 6018116; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Performance Monitor Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18245 "; classtype: system-event; program: ossec; sid: 6018245; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Remote access login failure. (msauth_rules.xml:windows)"; content: "Rule: 18125 "; classtype: system-event; program: ossec; sid: 6018125; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Remote Desktop Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18242 "; classtype: exploit-attempt; program: ossec; sid: 6018242; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Windows audit failure event. (msauth_rules.xml:windows)"; content: "Rule: 18105 "; classtype: not-suspicious; program: ossec; sid: 6018105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows DC Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18139 "; classtype: system-event; program: ossec; sid: 6018139; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows Logon Success. (msauth_rules.xml:windows)"; content: "Rule: 18107 "; classtype: not-suspicious; program: ossec; sid: 6018107; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Service startup type was changed. (msauth_rules.xml:windows)"; content: "Rule: 18145 "; classtype: not-suspicious; program: ossec; sid: 6018145; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Domain Computers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18226 "; classtype: system-event; program: ossec; sid: 6018226; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote access login success. (msauth_rules.xml:windows)"; content: "Rule: 18126 "; classtype: not-suspicious; program: ossec; sid: 6018126; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Pre-Windows 2000 Compatible Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18241 "; classtype: system-event; program: ossec; sid: 6018241; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Logon Failure - Account locked out. (msauth_rules.xml:windows)"; content: "Rule: 18138 "; classtype: system-event; program: ossec; sid: 6018138; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Network Configuration Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18243 "; classtype: exploit-attempt; program: ossec; sid: 6018243; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Replicators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18240 "; classtype: exploit-attempt; program: ossec; sid: 6018240; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Logon Failure - User not allowed to login at this computer. (msauth_rules.xml:windows)"; content: "Rule: 18134 "; classtype: system-event; program: ossec; sid: 6018134; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Power Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18235 "; classtype: exploit-attempt; program: ossec; sid: 6018235; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18222 "; classtype: exploit-attempt; program: ossec; sid: 6018222; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows file system full. (msauth_rules.xml:windows)"; content: "Rule: 18129 "; classtype: system-event; program: ossec; sid: 6018129; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - First time this user logged in this system. (msauth_rules.xml:windows)"; content: "Rule: 18119 "; classtype: not-suspicious; program: ossec; sid: 6018119; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows warning event. (msauth_rules.xml:windows)"; content: "Rule: 18102 "; classtype: tcp-connection; program: ossec; sid: 6018102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Backup Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18239 "; classtype: exploit-attempt; program: ossec; sid: 6018239; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows is starting up. (msauth_rules.xml:windows)"; content: "Rule: 18148 "; classtype: not-suspicious; program: ossec; sid: 6018148; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Windows is shutting down. (msauth_rules.xml:windows)"; content: "Rule: 18117 "; classtype: system-event; program: ossec; sid: 6018117; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Windows DC - Possible replay attack. (msauth_rules.xml:windows)"; content: "Rule: 18171 "; classtype: exploit-attempt; program: ossec; sid: 6018171; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Terminal Server Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18221 "; classtype: system-event; program: ossec; sid: 6018221; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Created (msauth_rules.xml:windows)"; content: "Rule: 18206 "; classtype: system-event; program: ossec; sid: 6018206; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Failed attempt to perform a privileged operation. (msauth_rules.xml:windows)"; content: "Rule: 18108 "; classtype: not-suspicious; program: ossec; sid: 6018108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows audit failure events. (msauth_rules.xml:windows)"; content: "Rule: 18153 "; classtype: exploit-attempt; program: ossec; sid: 6018153; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Security enabled group deleted. (msauth_rules.xml:windows)"; content: "Rule: 18144 "; classtype: system-event; program: ossec; sid: 6018144; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Cryptographic Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18252 "; classtype: exploit-attempt; program: ossec; sid: 6018252; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Terminal Server License Servers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18248 "; classtype: system-event; program: ossec; sid: 6018248; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User account unlocked. (msauth_rules.xml:windows)"; content: "Rule: 18142 "; classtype: system-event; program: ossec; sid: 6018142; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Schema Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18229 "; classtype: exploit-attempt; program: ossec; sid: 6018229; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows Audit Policy changed. (msauth_rules.xml:windows)"; content: "Rule: 18113 "; classtype: system-event; program: ossec; sid: 6018113; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18216 "; classtype: system-event; program: ossec; sid: 6018216; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - MS SQL Server Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18180 "; classtype: system-event; program: ossec; sid: 6018180; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Deleted (msauth_rules.xml:windows)"; content: "Rule: 18201 "; classtype: system-event; program: ossec; sid: 6018201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows Logon Failures. (msauth_rules.xml:windows)"; content: "Rule: 18152 "; classtype: exploit-attempt; program: ossec; sid: 6018152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows audit log was cleared. (msauth_rules.xml:windows)"; content: "Rule: 18118 "; classtype: system-event; program: ossec; sid: 6018118; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Guests Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18234 "; classtype: exploit-attempt; program: ossec; sid: 6018234; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Specified account expired. (msauth_rules.xml:windows)"; content: "Rule: 18133 "; classtype: system-event; program: ossec; sid: 6018133; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18211 "; classtype: system-event; program: ossec; sid: 6018211; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account disabled or deleted. (msauth_rules.xml:windows)"; content: "Rule: 18112 "; classtype: system-event; program: ossec; sid: 6018112; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Authenticated Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18220 "; classtype: system-event; program: ossec; sid: 6018220; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Certificate Service DCOM Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18256 "; classtype: exploit-attempt; program: ossec; sid: 6018256; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Allowed RODC Password Replication Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18253 "; classtype: exploit-attempt; program: ossec; sid: 6018253; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account changed. (msauth_rules.xml:windows)"; content: "Rule: 18111 "; classtype: system-event; program: ossec; sid: 6018111; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Session reconnected/disconnected to winstation. (msauth_rules.xml:windows)"; content: "Rule: 18109 "; classtype: not-suspicious; program: ossec; sid: 6018109; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18208 "; classtype: system-event; program: ossec; sid: 6018208; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed attempts to perform a privileged operation by the same user. (msauth_rules.xml:windows)"; content: "Rule: 18151 "; classtype: exploit-attempt; program: ossec; sid: 6018151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - System time changed. (msauth_rules.xml:windows)"; content: "Rule: 18140 "; classtype: system-event; program: ossec; sid: 6018140; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18215 "; classtype: system-event; program: ossec; sid: 6018215; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows error events. (msauth_rules.xml:windows)"; content: "Rule: 18154 "; classtype: exploit-attempt; program: ossec; sid: 6018154; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18227 "; classtype: exploit-attempt; program: ossec; sid: 6018227; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Created (msauth_rules.xml:windows)"; content: "Rule: 18212 "; classtype: system-event; program: ossec; sid: 6018212; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18207 "; classtype: system-event; program: ossec; sid: 6018207; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows informational event. (msauth_rules.xml:windows)"; content: "Rule: 18101 "; classtype: tcp-connection; program: ossec; sid: 6018101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Internal error. (msauth_rules.xml:windows)"; content: "Rule: 18137 "; classtype: system-event; program: ossec; sid: 6018137; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Performance Log Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18246 "; classtype: system-event; program: ossec; sid: 6018246; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows warning events. (msauth_rules.xml:windows)"; content: "Rule: 18155 "; classtype: exploit-attempt; program: ossec; sid: 6018155; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Created (msauth_rules.xml:windows)"; content: "Rule: 18200 "; classtype: system-event; program: ossec; sid: 6018200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18209 "; classtype: system-event; program: ossec; sid: 6018209; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Windows DC integrity check on decrypted field failed. (msauth_rules.xml:windows)"; content: "Rule: 18170 "; classtype: exploit-attempt; program: ossec; sid: 6018170; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account currently disabled. (msauth_rules.xml:windows)"; content: "Rule: 18132 "; classtype: system-event; program: ossec; sid: 6018132; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18230 "; classtype: exploit-attempt; program: ossec; sid: 6018230; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Account Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18236 "; classtype: exploit-attempt; program: ossec; sid: 6018236; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Security enabled group created. (msauth_rules.xml:windows)"; content: "Rule: 18143 "; classtype: system-event; program: ossec; sid: 6018143; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows login attempt (ignored). Duplicated. (msauth_rules.xml:windows)"; content: "Rule: 18120 "; classtype: tcp-connection; program: ossec; sid: 6018120; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Everyone Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18218 "; classtype: system-event; program: ossec; sid: 6018218; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Application Installed. (msauth_rules.xml:windows)"; content: "Rule: 18147 "; classtype: system-event; program: ossec; sid: 6018147; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account logon time restriction violation. (msauth_rules.xml:windows)"; content: "Rule: 18131 "; classtype: system-event; program: ossec; sid: 6018131; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Created (msauth_rules.xml:windows)"; content: "Rule: 18202 "; classtype: system-event; program: ossec; sid: 6018202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18205 "; classtype: system-event; program: ossec; sid: 6018205; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18214 "; classtype: system-event; program: ossec; sid: 6018214; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple remote access login failures. (msauth_rules.xml:windows)"; content: "Rule: 18156 "; classtype: exploit-attempt; program: ossec; sid: 6018156; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Cert Publishers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18228 "; classtype: exploit-attempt; program: ossec; sid: 6018228; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Unexpected Windows shutdown. (msauth_rules.xml:windows)"; content: "Rule: 18141 "; classtype: system-event; program: ossec; sid: 6018141; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Server Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18237 "; classtype: exploit-attempt; program: ossec; sid: 6018237; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Unknown user or bad password. (msauth_rules.xml:windows)"; content: "Rule: 18130 "; classtype: system-event; program: ossec; sid: 6018130; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18213 "; classtype: system-event; program: ossec; sid: 6018213; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Local User Group NONE (msauth_rules.xml:windows)"; content: "Rule: 18224 "; classtype: tcp-connection; program: ossec; sid: 6018224; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows Logon Success (ignored). (msauth_rules.xml:windows)"; content: "Rule: 18121 "; classtype: tcp-connection; program: ossec; sid: 6018121; rev:1;) ## Rule group: rules_config.xml:ids ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all ids rules. (rules_config.xml:ids)"; content: "Rule: 03 "; classtype: tcp-connection; program: ossec; sid: 6000003; rev:1;) ## Rule group: vpn_concentrator_rules.xml:syslog,cisco_vpn ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Cisco VPN concentrator rules (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14200 "; classtype: tcp-connection; program: ossec; sid: 6014200; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - VPN Admin authentication successful. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14203 "; classtype: not-suspicious; program: ossec; sid: 6014203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VPN authentication failures. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14251 "; classtype: exploit-attempt; program: ossec; sid: 6014251; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VPN authentication successful. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14201 "; classtype: not-suspicious; program: ossec; sid: 6014201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VPN authentication failed. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14202 "; classtype: system-event; program: ossec; sid: 6014202; rev:1;) ## Rule group: spamd_rules.xml:syslog,spamd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Spamd debug event (reading message). (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3502 "; classtype: tcp-connection; program: ossec; sid: 6003502; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SPAMD result message (not very usefull here). (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3501 "; classtype: tcp-connection; program: ossec; sid: 6003501; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the spamd rules (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3500 "; classtype: tcp-connection; program: ossec; sid: 6003500; rev:1;) ## Rule group: proftpd_rules.xml:syslog,proftpd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection refused by TCP Wrappers. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11207 "; classtype: system-event; program: ossec; sid: 6011207; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11252 "; classtype: exploit-attempt; program: ossec; sid: 6011252; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to bind to adress. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11220 "; classtype: not-suspicious; program: ossec; sid: 6011220; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP session closed. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11202 "; classtype: tcp-connection; program: ossec; sid: 6011202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple timed out logins from same source. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11253 "; classtype: exploit-attempt; program: ossec; sid: 6011253; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host connected to FTP server. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11213 "; classtype: not-suspicious; program: ossec; sid: 6011213; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Mismatch in server's hostname. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11211 "; classtype: not-suspicious; program: ossec; sid: 6011211; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - FTP process crashed. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11218 "; classtype: exploit-attempt; program: ossec; sid: 6011218; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Data transfer stalled. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11217 "; classtype: not-suspicious; program: ossec; sid: 6011217; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to inactivity. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11214 "; classtype: not-suspicious; program: ossec; sid: 6011214; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11209 "; classtype: exploit-attempt; program: ossec; sid: 6011209; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP config). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11212 "; classtype: system-event; program: ossec; sid: 6011212; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Small PassivePorts range in config file. Server misconfiguration. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11208 "; classtype: not-suspicious; program: ossec; sid: 6011208; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed login attempts. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11210 "; classtype: exploit-attempt; program: ossec; sid: 6011210; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - FTP server Buffer overflow attempt. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11219 "; classtype: exploit-attempt; program: ossec; sid: 6011219; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection denied by ProFTPD configuration. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11206 "; classtype: system-event; program: ossec; sid: 6011206; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP session opened. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11201 "; classtype: not-suspicious; program: ossec; sid: 6011201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a non-existent user. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11203 "; classtype: system-event; program: ossec; sid: 6011203; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - IPv6 error and mod-delay info (ignored). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11221 "; classtype: tcp-connection; program: ossec; sid: 6011221; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11251 "; classtype: exploit-attempt; program: ossec; sid: 6011251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the FTP server (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11204 "; classtype: system-event; program: ossec; sid: 6011204; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the proftpd rules. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11200 "; classtype: tcp-connection; program: ossec; sid: 6011200; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11205 "; classtype: not-suspicious; program: ossec; sid: 6011205; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to login time out. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11215 "; classtype: not-suspicious; program: ossec; sid: 6011215; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to time out. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11216 "; classtype: not-suspicious; program: ossec; sid: 6011216; rev:1;) ## Rule group: courier_rules.xml:syslog,courier ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Courier brute force (multiple failed logins). (courier_rules.xml:syslog,courier)"; content: "Rule: 3910 "; classtype: exploit-attempt; program: ossec; sid: 6003910; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Courier (imap/pop3) authentication success. (courier_rules.xml:syslog,courier)"; content: "Rule: 3904 "; classtype: not-suspicious; program: ossec; sid: 6003904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Courier (imap/pop3) authentication failed. (courier_rules.xml:syslog,courier)"; content: "Rule: 3902 "; classtype: system-event; program: ossec; sid: 6003902; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Courier logout/timeout. (courier_rules.xml:syslog,courier)"; content: "Rule: 3903 "; classtype: tcp-connection; program: ossec; sid: 6003903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (courier_rules.xml:syslog,courier)"; content: "Rule: 3911 "; classtype: exploit-attempt; program: ossec; sid: 6003911; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New courier (imap/pop3) connection. (courier_rules.xml:syslog,courier)"; content: "Rule: 3901 "; classtype: not-suspicious; program: ossec; sid: 6003901; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the courier rules. (courier_rules.xml:syslog,courier)"; content: "Rule: 3900 "; classtype: tcp-connection; program: ossec; sid: 6003900; rev:1;) ## Rule group: mysql_rules.xml:mysql_log ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Database authentication failure. (mysql_rules.xml:mysql_log)"; content: "Rule: 50106 "; classtype: system-event; program: ossec; sid: 6050106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Database error. (mysql_rules.xml:mysql_log)"; content: "Rule: 50125 "; classtype: system-event; program: ossec; sid: 6050125; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Database query. (mysql_rules.xml:mysql_log)"; content: "Rule: 50107 "; classtype: tcp-connection; program: ossec; sid: 6050107; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database startup message. (mysql_rules.xml:mysql_log)"; content: "Rule: 50121 "; classtype: not-suspicious; program: ossec; sid: 6050121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (mysql_rules.xml:mysql_log)"; content: "Rule: 50180 "; classtype: exploit-attempt; program: ossec; sid: 6050180; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database fatal error. (mysql_rules.xml:mysql_log)"; content: "Rule: 50126 "; classtype: exploit-attempt; program: ossec; sid: 6050126; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - MySQL messages grouped. (mysql_rules.xml:mysql_log)"; content: "Rule: 50100 "; classtype: tcp-connection; program: ossec; sid: 6050100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (mysql_rules.xml:mysql_log)"; content: "Rule: 50120 "; classtype: exploit-attempt; program: ossec; sid: 6050120; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database authentication success. (mysql_rules.xml:mysql_log)"; content: "Rule: 50105 "; classtype: not-suspicious; program: ossec; sid: 6050105; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User disconnected from database. (mysql_rules.xml:mysql_log)"; content: "Rule: 50108 "; classtype: not-suspicious; program: ossec; sid: 6050108; rev:1;) ## Rule group: ossec_rules.xml:ossec ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - System Audit event. (ossec_rules.xml:ossec)"; content: "Rule: 516 "; classtype: not-suspicious; program: ossec; sid: 6000516; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec agent started. (ossec_rules.xml:ossec)"; content: "Rule: 503 "; classtype: not-suspicious; program: ossec; sid: 6000503; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File added to the system. (ossec_rules.xml:ossec)"; content: "Rule: 554 "; classtype: tcp-connection; program: ossec; sid: 6000554; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Microsoft Event log cleared. (ossec_rules.xml:ossec)"; content: "Rule: 593 "; classtype: system-event; program: ossec; sid: 6000593; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec server started. (ossec_rules.xml:ossec)"; content: "Rule: 502 "; classtype: not-suspicious; program: ossec; sid: 6000502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed again (3rd time). (ossec_rules.xml:ossec)"; content: "Rule: 552 "; classtype: system-event; program: ossec; sid: 6000552; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored common NTFS ADS entries. (ossec_rules.xml:ossec)"; content: "Rule: 511 "; classtype: tcp-connection; program: ossec; sid: 6000511; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Windows application monitor event. (ossec_rules.xml:ossec)"; content: "Rule: 514 "; classtype: not-suspicious; program: ossec; sid: 6000514; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Host information changed. (ossec_rules.xml:ossec)"; content: "Rule: 580 "; classtype: system-event; program: ossec; sid: 6000580; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring external medias. (ossec_rules.xml:ossec)"; content: "Rule: 532 "; classtype: tcp-connection; program: ossec; sid: 6000532; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of ossec rules. (ossec_rules.xml:ossec)"; content: "Rule: 500 "; classtype: tcp-connection; program: ossec; sid: 6000500; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring rootcheck/syscheck scan messages. (ossec_rules.xml:ossec)"; content: "Rule: 515 "; classtype: tcp-connection; program: ossec; sid: 6000515; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)"; content: "Rule: 513 "; classtype: system-event; program: ossec; sid: 6000513; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Log file size reduced. (ossec_rules.xml:ossec)"; content: "Rule: 592 "; classtype: system-event; program: ossec; sid: 6000592; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - File deleted. Unable to retrieve checksum. (ossec_rules.xml:ossec)"; content: "Rule: 553 "; classtype: system-event; program: ossec; sid: 6000553; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows Audit event. (ossec_rules.xml:ossec)"; content: "Rule: 512 "; classtype: not-suspicious; program: ossec; sid: 6000512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)"; content: "Rule: 518 "; classtype: system-event; program: ossec; sid: 6000518; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Rootcheck event. (ossec_rules.xml:ossec)"; content: "Rule: 509 "; classtype: tcp-connection; program: ossec; sid: 6000509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum for agentless device changed. (ossec_rules.xml:ossec)"; content: "Rule: 555 "; classtype: system-event; program: ossec; sid: 6000555; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Partition usage reached 100% (disk space monitor). (ossec_rules.xml:ossec)"; content: "Rule: 531 "; classtype: system-event; program: ossec; sid: 6000531; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Host information added. (ossec_rules.xml:ossec)"; content: "Rule: 581 "; classtype: system-event; program: ossec; sid: 6000581; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Log file rotated. (ossec_rules.xml:ossec)"; content: "Rule: 591 "; classtype: not-suspicious; program: ossec; sid: 6000591; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New ossec agent connected. (ossec_rules.xml:ossec)"; content: "Rule: 501 "; classtype: not-suspicious; program: ossec; sid: 6000501; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)"; content: "Rule: 510 "; classtype: system-event; program: ossec; sid: 6000510; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed again (2nd time). (ossec_rules.xml:ossec)"; content: "Rule: 551 "; classtype: system-event; program: ossec; sid: 6000551; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - OSSEC process monitoring rules. (ossec_rules.xml:ossec)"; content: "Rule: 530 "; classtype: tcp-connection; program: ossec; sid: 6000530; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed. (ossec_rules.xml:ossec)"; content: "Rule: 550 "; classtype: system-event; program: ossec; sid: 6000550; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec agent disconnected. (ossec_rules.xml:ossec)"; content: "Rule: 504 "; classtype: not-suspicious; program: ossec; sid: 6000504; rev:1;) ## Rule group: racoon_rules.xml:syslog,racoon ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roadwarrior configuration (ignored error). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14121 "; classtype: tcp-connection; program: ossec; sid: 6014121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VPN authentication failed. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14101 "; classtype: system-event; program: ossec; sid: 6014101; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Racoon error message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14111 "; classtype: not-suspicious; program: ossec; sid: 6014111; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Racoon informational message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14110 "; classtype: tcp-connection; program: ossec; sid: 6014110; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of racoon rules. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14100 "; classtype: tcp-connection; program: ossec; sid: 6014100; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Racoon warning message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14112 "; classtype: not-suspicious; program: ossec; sid: 6014112; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Invalid configuration settings (ignored error). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14123 "; classtype: tcp-connection; program: ossec; sid: 6014123; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VPN established. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14120 "; classtype: not-suspicious; program: ossec; sid: 6014120; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roadwarrior configuration (ignored warning). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14122 "; classtype: tcp-connection; program: ossec; sid: 6014122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple failed VPN logins. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14151 "; classtype: system-event; program: ossec; sid: 6014151; rev:1;) ## Rule group: arpwatch_rules.xml:syslog,arpwatch ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Arpwatch exiting. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7203 "; classtype: not-suspicious; program: ossec; sid: 6007203; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the arpwatch rules. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7200 "; classtype: tcp-connection; program: ossec; sid: 6007200; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Arpwatch detected bad address len (ignored). (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7206 "; classtype: tcp-connection; program: ossec; sid: 6007206; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Arpwatch startup/exiting messages. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7205 "; classtype: tcp-connection; program: ossec; sid: 6007205; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Arpwatch new host detected. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7201 "; classtype: not-suspicious; program: ossec; sid: 6007201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Changed network interface for ip address. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7204 "; classtype: system-event; program: ossec; sid: 6007204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Arpwatch "flip flop" message. IP address/MAC relation changing too often. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7202 "; classtype: system-event; program: ossec; sid: 6007202; rev:1;) ## Rule group: ftpd_rules.xml:syslog,ftpd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File created via FTP (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11102 "; classtype: tcp-connection; program: ossec; sid: 6011102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Attempt to login with disabled account. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11111 "; classtype: system-event; program: ossec; sid: 6011111; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - User uploaded a file to server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11104 "; classtype: tcp-connection; program: ossec; sid: 6011104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11113 "; classtype: system-event; program: ossec; sid: 6011113; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP config). (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11108 "; classtype: system-event; program: ossec; sid: 6011108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection blocked by Tcp Wrappers. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11107 "; classtype: system-event; program: ossec; sid: 6011107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP connection refused. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11101 "; classtype: system-event; program: ossec; sid: 6011101; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host connected to FTP server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11106 "; classtype: not-suspicious; program: ossec; sid: 6011106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP failed login attempts. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11109 "; classtype: exploit-attempt; program: ossec; sid: 6011109; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the ftpd rules. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11100 "; classtype: tcp-connection; program: ossec; sid: 6011100; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - User downloaded a file to server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11105 "; classtype: tcp-connection; program: ossec; sid: 6011105; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User disconnected due to time out. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11110 "; classtype: not-suspicious; program: ossec; sid: 6011110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11112 "; classtype: system-event; program: ossec; sid: 6011112; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File deleted via FTP (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11103 "; classtype: tcp-connection; program: ossec; sid: 6011103; rev:1;) ## Rule group: cisco-ios_rules.xml:syslog,cisco_ios ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS debug message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4717 "; classtype: tcp-connection; program: ossec; sid: 6004717; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Cisco IOS critical message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4712 "; classtype: system-event; program: ossec; sid: 6004712; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Cisco IOS router configuration changed. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4721 "; classtype: not-suspicious; program: ossec; sid: 6004721; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Cisco IOS emergency message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4710 "; classtype: system-event; program: ossec; sid: 6004710; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Cisco IOS warning message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4714 "; classtype: not-suspicious; program: ossec; sid: 6004714; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Cisco IOS alert message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4711 "; classtype: system-event; program: ossec; sid: 6004711; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful login to the router. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4722 "; classtype: not-suspicious; program: ossec; sid: 6004722; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS notification message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4715 "; classtype: tcp-connection; program: ossec; sid: 6004715; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Cisco IOS rules. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4700 "; classtype: tcp-connection; program: ossec; sid: 6004700; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Cisco IOS error message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4713 "; classtype: not-suspicious; program: ossec; sid: 6004713; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS informational message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4716 "; classtype: tcp-connection; program: ossec; sid: 6004716; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed login to the router. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4724 "; classtype: system-event; program: ossec; sid: 6004724; rev:1;) ## Rule group: asterisk_rules.xml:syslog,asterisk ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Extension enumeration. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6252 "; classtype: exploit-attempt; program: ossec; sid: 6006252; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Asterisk warning message. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6202 "; classtype: not-suspicious; program: ossec; sid: 6006202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6210 "; classtype: system-event; program: ossec; sid: 6006210; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Asterisk notice messages grouped. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6201 "; classtype: tcp-connection; program: ossec; sid: 6006201; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed (invalid extension). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6212 "; classtype: system-event; program: ossec; sid: 6006212; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Asterisk messages grouped. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6200 "; classtype: tcp-connection; program: ossec; sid: 6006200; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6251 "; classtype: exploit-attempt; program: ossec; sid: 6006251; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed (invalid user). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6211 "; classtype: system-event; program: ossec; sid: 6006211; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Asterisk error message. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6203 "; classtype: not-suspicious; program: ossec; sid: 6006203; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins (user enumeration in process). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6250 "; classtype: exploit-attempt; program: ossec; sid: 6006250; rev:1;) ## Rule group: syslog_rules.xml:syslog,yum ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - New Yum package installed. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2932 "; classtype: system-event; program: ossec; sid: 6002932; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Yum package deleted. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2934 "; classtype: system-event; program: ossec; sid: 6002934; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Yum logs. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2931 "; classtype: tcp-connection; program: ossec; sid: 6002931; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Yum logs. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2930 "; classtype: tcp-connection; program: ossec; sid: 6002930; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Yum package updated. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2933 "; classtype: system-event; program: ossec; sid: 6002933; rev:1;) ## Rule group: local_rules.xml:local,syslog ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Example of rule that will ignore sshd failed logins for user XYZABC. (local_rules.xml:local,syslog)"; content: "Rule: 100020 "; classtype: tcp-connection; program: ossec; sid: 6100020; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Example of rule that will ignore sshd failed logins from IP 1.1.1.1. (local_rules.xml:local,syslog)"; content: "Rule: 100001 "; classtype: tcp-connection; program: ossec; sid: 6100001; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - List of rules to be ignored. (local_rules.xml:local,syslog)"; content: "Rule: 100030 "; classtype: tcp-connection; program: ossec; sid: 6100030; rev:1;) ## Rule group: trend-osce_rules.xml:trend_micro,ocse ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virus detected and cleaned/quarantined/remved (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7610 "; classtype: system-event; program: ossec; sid: 6007610; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Trend OSCE rules. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7600 "; classtype: tcp-connection; program: ossec; sid: 6007600; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Virus detected and unable to clean up. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7611 "; classtype: system-event; program: ossec; sid: 6007611; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virus scan completed with no errors detected. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7612 "; classtype: not-suspicious; program: ossec; sid: 6007612; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virus scan passed by found potential security risk. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7613 "; classtype: system-event; program: ossec; sid: 6007613; rev:1;) ## Rule group: telnetd_rules.xml:syslog,telnetd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Remote host invalid connection. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5603 "; classtype: system-event; program: ossec; sid: 6005603; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the telnetd rules (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5600 "; classtype: tcp-connection; program: ossec; sid: 6005600; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host established a telnet connection. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5602 "; classtype: not-suspicious; program: ossec; sid: 6005602; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source (possible scan). (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5631 "; classtype: exploit-attempt; program: ossec; sid: 6005631; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection refused by TCP Wrappers. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5601 "; classtype: system-event; program: ossec; sid: 6005601; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad hostname config). (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5604 "; classtype: system-event; program: ossec; sid: 6005604; rev:1;) ## Rule group: syslog_rules.xml:syslog,nfs ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS directory. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2103 "; classtype: not-suspicious; program: ossec; sid: 6002103; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS share. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2101 "; classtype: not-suspicious; program: ossec; sid: 6002101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS rules grouped. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2100 "; classtype: tcp-connection; program: ossec; sid: 6002100; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Automount informative message (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2104 "; classtype: not-suspicious; program: ossec; sid: 6002104; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS directory. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2102 "; classtype: not-suspicious; program: ossec; sid: 6002102; rev:1;) ## Rule group: syslog_rules.xml:syslog,pptp ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD messages grouped (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9100 "; classtype: tcp-connection; program: ossec; sid: 6009100; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD communication error (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9102 "; classtype: tcp-connection; program: ossec; sid: 6009102; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD failed message (communication error) (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9101 "; classtype: tcp-connection; program: ossec; sid: 6009101; rev:1;) ## Rule group: attack_rules.xml:syslog,elevation_of_privilege ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 15 - Attacks followed by the addition of an user. (attack_rules.xml:syslog,elevation_of_privilege)"; content: "Rule: 40501 "; classtype: exploit-attempt; program: ossec; sid: 6040501; rev:1;) ## Rule group: ms-exchange_rules.xml:ms,exchange ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Exchange rules. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3800 "; classtype: tcp-connection; program: ossec; sid: 6003800; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple e-mail 500 error code (spam). (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3852 "; classtype: system-event; program: ossec; sid: 6003852; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - E-mail rcpt is not valid (invalid account). (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3801 "; classtype: not-suspicious; program: ossec; sid: 6003801; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple e-mail attempts to an invalid account. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3851 "; classtype: system-event; program: ossec; sid: 6003851; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - E-mail 500 error code. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3802 "; classtype: not-suspicious; program: ossec; sid: 6003802; rev:1;) ## Rule group: attack_rules.xml:syslog,recon ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Network scan from same source ip. (attack_rules.xml:syslog,recon)"; content: "Rule: 40601 "; classtype: exploit-attempt; program: ossec; sid: 6040601; rev:1;) ## Rule group: rules_config.xml:ossec ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all ossec rules. (rules_config.xml:ossec)"; content: "Rule: 07 "; classtype: tcp-connection; program: ossec; sid: 6000007; rev:1;) ## Rule group: syslog_rules.xml:syslog,linuxkernel ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Kernel usbhid probe error (ignored). (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5112 "; classtype: tcp-connection; program: ossec; sid: 6005112; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Monitor ADSL line is up. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5131 "; classtype: not-suspicious; program: ossec; sid: 6005131; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Kernel Input/Output error (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5109 "; classtype: not-suspicious; program: ossec; sid: 6005109; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - IRC misconfiguration (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5110 "; classtype: not-suspicious; program: ossec; sid: 6005110; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring hpiod for producing useless logs. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5200 "; classtype: tcp-connection; program: ossec; sid: 6005200; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Informative message from the kernel (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5102 "; classtype: tcp-connection; program: ossec; sid: 6005102; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS incompability between Linux and Solaris. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5107 "; classtype: tcp-connection; program: ossec; sid: 6005107; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Interface entered in promiscuous(sniffing) mode. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5104 "; classtype: system-event; program: ossec; sid: 6005104; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Pre-match rule for kernel messages (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5100 "; classtype: tcp-connection; program: ossec; sid: 6005100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - System running out of memory. Availability of the system is in risk. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5108 "; classtype: exploit-attempt; program: ossec; sid: 6005108; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Kernel device error. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5111 "; classtype: tcp-connection; program: ossec; sid: 6005111; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Invalid request to /dev/fd0 (bug on the kernel). (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5105 "; classtype: tcp-connection; program: ossec; sid: 6005105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Error message from the kernel. Ping of death attack. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5103 "; classtype: system-event; program: ossec; sid: 6005103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS incompability between Linux and Solaris. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5106 "; classtype: tcp-connection; program: ossec; sid: 6005106; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Informative message from the kernel. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5101 "; classtype: tcp-connection; program: ossec; sid: 6005101; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Monitor ADSL line is down. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5130 "; classtype: system-event; program: ossec; sid: 6005130; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - System is shutting down. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5113 "; classtype: system-event; program: ossec; sid: 6005113; rev:1;) ## Rule group: dovecot_rules.xml:dovecot ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Authentication Failed. (dovecot_rules.xml:dovecot)"; content: "Rule: 9702 "; classtype: system-event; program: ossec; sid: 6009702; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Dovecot Multiple Authentication Failures. (dovecot_rules.xml:dovecot)"; content: "Rule: 9750 "; classtype: exploit-attempt; program: ossec; sid: 6009750; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot is Starting Up. (dovecot_rules.xml:dovecot)"; content: "Rule: 9703 "; classtype: not-suspicious; program: ossec; sid: 6009703; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Dovecot Fatal Failure. (dovecot_rules.xml:dovecot)"; content: "Rule: 9704 "; classtype: not-suspicious; program: ossec; sid: 6009704; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Invalid User Login Attempt. (dovecot_rules.xml:dovecot)"; content: "Rule: 9705 "; classtype: system-event; program: ossec; sid: 6009705; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Aborted Login. (dovecot_rules.xml:dovecot)"; content: "Rule: 9707 "; classtype: system-event; program: ossec; sid: 6009707; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot Authentication Success. (dovecot_rules.xml:dovecot)"; content: "Rule: 9701 "; classtype: not-suspicious; program: ossec; sid: 6009701; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Dovecot Messages Grouped. (dovecot_rules.xml:dovecot)"; content: "Rule: 9700 "; classtype: tcp-connection; program: ossec; sid: 6009700; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot Session Disconnected. (dovecot_rules.xml:dovecot)"; content: "Rule: 9706 "; classtype: not-suspicious; program: ossec; sid: 6009706; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Dovecot brute force attack (multiple auth failures). (dovecot_rules.xml:dovecot)"; content: "Rule: 9751 "; classtype: exploit-attempt; program: ossec; sid: 6009751; rev:1;) ## Rule group: symantec-ws_rules.xml:symantec ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec Web Security rules. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7400 "; classtype: tcp-connection; program: ossec; sid: 6007400; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Web access message. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7425 "; classtype: not-suspicious; program: ossec; sid: 6007425; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Admin Login success to the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7420 "; classtype: not-suspicious; program: ossec; sid: 6007420; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login success accessing the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7415 "; classtype: not-suspicious; program: ossec; sid: 6007415; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7410 "; classtype: system-event; program: ossec; sid: 6007410; rev:1;) ## Rule group: php_rules.xml:apache ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31430 "; classtype: system-event; program: ossec; sid: 6031430; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31410 "; classtype: not-suspicious; program: ossec; sid: 6031410; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31404 "; classtype: tcp-connection; program: ossec; sid: 6031404; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP internal error (missing file or function). (php_rules.xml:apache)"; content: "Rule: 31421 "; classtype: system-event; program: ossec; sid: 6031421; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31403 "; classtype: tcp-connection; program: ossec; sid: 6031403; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - PHP web attack. (php_rules.xml:apache)"; content: "Rule: 31411 "; classtype: system-event; program: ossec; sid: 6031411; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP internal error (missing file). (php_rules.xml:apache)"; content: "Rule: 31412 "; classtype: system-event; program: ossec; sid: 6031412; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31420 "; classtype: system-event; program: ossec; sid: 6031420; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31405 "; classtype: tcp-connection; program: ossec; sid: 6031405; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31406 "; classtype: tcp-connection; program: ossec; sid: 6031406; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31401 "; classtype: tcp-connection; program: ossec; sid: 6031401; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31402 "; classtype: tcp-connection; program: ossec; sid: 6031402; rev:1;) ## Rule group: postfix_rules.xml:syslog,postfix ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple relaying attempts of spam. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3351 "; classtype: system-event; program: ossec; sid: 6003351; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple misuse of SMTP service (bad sequence of commands). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3354 "; classtype: exploit-attempt; program: ossec; sid: 6003354; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Postfix SASL authentication failure. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3332 "; classtype: system-event; program: ossec; sid: 6003332; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the postfix reject rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3300 "; classtype: tcp-connection; program: ossec; sid: 6003300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3353 "; classtype: exploit-attempt; program: ossec; sid: 6003353; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to use mail server as relay (client host rejected). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3301 "; classtype: system-event; program: ossec; sid: 6003301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail to invalid recipient or from unknown sender domain. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3355 "; classtype: exploit-attempt; program: ossec; sid: 6003355; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain is not found (450: Requested mail action not taken). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3303 "; classtype: system-event; program: ossec; sid: 6003303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Postfix stopped. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3333 "; classtype: system-event; program: ossec; sid: 6003333; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Postfix started. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3334 "; classtype: not-suspicious; program: ossec; sid: 6003334; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Rejected by access list (Requested action not taken). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3302 "; classtype: system-event; program: ossec; sid: 6003302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts to send e-mail from a rejected sender IP (access). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3352 "; classtype: system-event; program: ossec; sid: 6003352; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Postfix insufficient disk space error. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3331 "; classtype: exploit-attempt; program: ossec; sid: 6003331; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Improper use of SMTP command pipelining (503: Bad sequence of commands). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3304 "; classtype: system-event; program: ossec; sid: 6003304; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Receipent address must contain FQDN (504: Command parameter not implemented). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3305 "; classtype: system-event; program: ossec; sid: 6003305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the clamsmtpd rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3390 "; classtype: tcp-connection; program: ossec; sid: 6003390; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SASL authentication failures. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3357 "; classtype: exploit-attempt; program: ossec; sid: 6003357; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the postfix rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3320 "; classtype: tcp-connection; program: ossec; sid: 6003320; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from black-listed IP address (blocked). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3356 "; classtype: exploit-attempt; program: ossec; sid: 6003356; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - IP Address black-listed by anti-spam (blocked). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3306 "; classtype: system-event; program: ossec; sid: 6003306; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Postfix process error. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3330 "; classtype: exploit-attempt; program: ossec; sid: 6003330; rev:1;) ## Rule group: ms_ftpd_rules.xml:syslog,msftp ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP errors from same source. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11512 "; classtype: exploit-attempt; program: ossec; sid: 6011512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11510 "; classtype: exploit-attempt; program: ossec; sid: 6011510; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New FTP connection. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11501 "; classtype: not-suspicious; program: ossec; sid: 6011501; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11503 "; classtype: not-suspicious; program: ossec; sid: 6011503; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Microsoft ftp rules. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11500 "; classtype: tcp-connection; program: ossec; sid: 6011500; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11511 "; classtype: exploit-attempt; program: ossec; sid: 6011511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP Authentication failed. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11502 "; classtype: system-event; program: ossec; sid: 6011502; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - FTP client request failed. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11504 "; classtype: not-suspicious; program: ossec; sid: 6011504; rev:1;) ## Rule group: imapd_rules.xml:syslog,imapd ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Imapd user login. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3602 "; classtype: not-suspicious; program: ossec; sid: 6003602; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Imapd user logout. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3603 "; classtype: tcp-connection; program: ossec; sid: 6003603; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins from same source ip. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3651 "; classtype: exploit-attempt; program: ossec; sid: 6003651; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Imapd user login failed. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3601 "; classtype: system-event; program: ossec; sid: 6003601; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the imapd rules. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3600 "; classtype: tcp-connection; program: ossec; sid: 6003600; rev:1;) ## Rule group: ids_rules.xml:ids ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored snort ids. (ids_rules.xml:ids)"; content: "Rule: 20103 "; classtype: tcp-connection; program: ossec; sid: 6020103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored snort ids. (ids_rules.xml:ids)"; content: "Rule: 20102 "; classtype: tcp-connection; program: ossec; sid: 6020102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple IDS events from same source ip. (ids_rules.xml:ids)"; content: "Rule: 20151 "; classtype: exploit-attempt; program: ossec; sid: 6020151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - First time this IDS alert is generated. (ids_rules.xml:ids)"; content: "Rule: 20100 "; classtype: system-event; program: ossec; sid: 6020100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Multiple IDS alerts for same id (ignoring now this id). (ids_rules.xml:ids)"; content: "Rule: 20162 "; classtype: exploit-attempt; program: ossec; sid: 6020162; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple IDS alerts for same id. (ids_rules.xml:ids)"; content: "Rule: 20152 "; classtype: exploit-attempt; program: ossec; sid: 6020152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Multiple IDS events from same source ip (ignoring now this srcip and id). (ids_rules.xml:ids)"; content: "Rule: 20161 "; classtype: exploit-attempt; program: ossec; sid: 6020161; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - IDS event. (ids_rules.xml:ids)"; content: "Rule: 20101 "; classtype: system-event; program: ossec; sid: 6020101; rev:1;) ## Rule group: policy_rules.xml:policy_violation ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Successful login during weekend. (policy_rules.xml:policy_violation)"; content: "Rule: 17102 "; classtype: system-event; program: ossec; sid: 6017102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Successful login during non-business hours. (policy_rules.xml:policy_violation)"; content: "Rule: 17101 "; classtype: system-event; program: ossec; sid: 6017101; rev:1;) ## Rule group: ms_dhcp_rules.xml:windows,dhcp ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Packet dropped due to NAP policy. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6323 "; classtype: exploit-attempt; program: ossec; sid: 6006323; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - The log was started. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6301 "; classtype: not-suspicious; program: ossec; sid: 6006301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Scope Full. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6360 "; classtype: exploit-attempt; program: ossec; sid: 6006360; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS record not deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6368 "; classtype: tcp-connection; program: ossec; sid: 6006368; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Audit log paused. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6363 "; classtype: exploit-attempt; program: ossec; sid: 6006363; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Service has not determined if it is authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6376 "; classtype: exploit-attempt; program: ossec; sid: 6006376; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A BOOTP IP address was deleted after checking to see it was not in use. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6315 "; classtype: tcp-connection; program: ossec; sid: 6006315; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A BOOTP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6312 "; classtype: tcp-connection; program: ossec; sid: 6006312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DNS update failed. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6319 "; classtype: system-event; program: ossec; sid: 6006319; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Started. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6361 "; classtype: not-suspicious; program: ossec; sid: 6006361; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the MS-DHCP rules. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6350 "; classtype: tcp-connection; program: ossec; sid: 6006350; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Advertise. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6352 "; classtype: tcp-connection; program: ossec; sid: 6006352; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was renewed by a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6305 "; classtype: tcp-connection; program: ossec; sid: 6006305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A new IP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6304 "; classtype: tcp-connection; program: ossec; sid: 6006304; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was expired and DNS records were deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6322 "; classtype: tcp-connection; program: ossec; sid: 6006322; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Expired. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6369 "; classtype: tcp-connection; program: ossec; sid: 6006369; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - An IP address was found to be in use on the network. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6307 "; classtype: tcp-connection; program: ossec; sid: 6006307; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Renew. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6355 "; classtype: tcp-connection; program: ossec; sid: 6006355; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was expired and DNS records for an expired leases have not been deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6311 "; classtype: tcp-connection; program: ossec; sid: 6006311; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Solicit. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6351 "; classtype: tcp-connection; program: ossec; sid: 6006351; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - IP address cleanup operation has began. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6316 "; classtype: not-suspicious; program: ossec; sid: 6006316; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Client deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6367 "; classtype: tcp-connection; program: ossec; sid: 6006367; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Address is already in use. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6366 "; classtype: not-suspicious; program: ossec; sid: 6006366; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Database cleanup begin. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6371 "; classtype: not-suspicious; program: ossec; sid: 6006371; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - A lease request could not be satisfied because the scope's address pool was exhausted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6308 "; classtype: exploit-attempt; program: ossec; sid: 6006308; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - A lease was denied. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6309 "; classtype: system-event; program: ossec; sid: 6006309; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Confirm. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6354 "; classtype: tcp-connection; program: ossec; sid: 6006354; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - IP address cleanup statistics. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6317 "; classtype: not-suspicious; program: ossec; sid: 6006317; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update successful. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6320 "; classtype: tcp-connection; program: ossec; sid: 6006320; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Information Request. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6359 "; classtype: tcp-connection; program: ossec; sid: 6006359; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DHCP Log File. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6364 "; classtype: system-event; program: ossec; sid: 6006364; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was released by a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6306 "; classtype: tcp-connection; program: ossec; sid: 6006306; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - The log was stopped. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6302 "; classtype: not-suspicious; program: ossec; sid: 6006302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - The log was temporarily paused due to low disk space. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6303 "; classtype: exploit-attempt; program: ossec; sid: 6006303; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Database cleanup end. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6372 "; classtype: not-suspicious; program: ossec; sid: 6006372; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6310 "; classtype: tcp-connection; program: ossec; sid: 6006310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Codes above 50 are used for Rogue Server Detection information. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6321 "; classtype: exploit-attempt; program: ossec; sid: 6006321; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update request to the named DNS server. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6318 "; classtype: tcp-connection; program: ossec; sid: 6006318; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A dynamic BOOTP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6313 "; classtype: tcp-connection; program: ossec; sid: 6006313; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Service authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6374 "; classtype: not-suspicious; program: ossec; sid: 6006374; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6314 "; classtype: exploit-attempt; program: ossec; sid: 6006314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Service not authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6373 "; classtype: exploit-attempt; program: ossec; sid: 6006373; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Release. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6358 "; classtype: tcp-connection; program: ossec; sid: 6006358; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DHCP Decline. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6357 "; classtype: system-event; program: ossec; sid: 6006357; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Bad Address. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6365 "; classtype: system-event; program: ossec; sid: 6006365; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Stopped. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6362 "; classtype: system-event; program: ossec; sid: 6006362; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Rebind. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6356 "; classtype: tcp-connection; program: ossec; sid: 6006356; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Expired and Deleted count. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6370 "; classtype: tcp-connection; program: ossec; sid: 6006370; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the MS-DHCP rules. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6300 "; classtype: tcp-connection; program: ossec; sid: 6006300; rev:1;) ## Rule group: syslog_rules.xml:syslog,tripwire ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Problems with the tripwire checking (syslog_rules.xml:syslog,tripwire)"; content: "Rule: 7101 "; classtype: system-event; program: ossec; sid: 6007101; rev:1;) ## Rule group: roundcube_rules.xml:syslog,roundcube ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Roundcube authentication failed. (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9401 "; classtype: system-event; program: ossec; sid: 6009401; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roundcube messages groupe.d (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9400 "; classtype: tcp-connection; program: ossec; sid: 6009400; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Roundcube authentication succeeded. (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9402 "; classtype: not-suspicious; program: ossec; sid: 6009402; rev:1;) ## Rule group: vmware_rules.xml:vmware ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX authentication failures. (vmware_rules.xml:vmware)"; content: "Rule: 19152 "; classtype: exploit-attempt; program: ossec; sid: 6019152; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - VMware ESX error message. (vmware_rules.xml:vmware)"; content: "Rule: 19103 "; classtype: not-suspicious; program: ossec; sid: 6019103; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX verbose message. (vmware_rules.xml:vmware)"; content: "Rule: 19107 "; classtype: tcp-connection; program: ossec; sid: 6019107; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virtual machine being turned ON. (vmware_rules.xml:vmware)"; content: "Rule: 19121 "; classtype: not-suspicious; program: ossec; sid: 6019121; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - VMware ESX critical message. (vmware_rules.xml:vmware)"; content: "Rule: 19102 "; classtype: system-event; program: ossec; sid: 6019102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX warning messages. (vmware_rules.xml:vmware)"; content: "Rule: 19150 "; classtype: exploit-attempt; program: ossec; sid: 6019150; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMware ESX warning message. (vmware_rules.xml:vmware)"; content: "Rule: 19104 "; classtype: not-suspicious; program: ossec; sid: 6019104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VMWare ESX authentication failure. (vmware_rules.xml:vmware)"; content: "Rule: 19111 "; classtype: system-event; program: ossec; sid: 6019111; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virtual machine being reconfigured. (vmware_rules.xml:vmware)"; content: "Rule: 19123 "; classtype: system-event; program: ossec; sid: 6019123; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX notice message. (vmware_rules.xml:vmware)"; content: "Rule: 19105 "; classtype: tcp-connection; program: ossec; sid: 6019105; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMWare messages grouped. (vmware_rules.xml:vmware)"; content: "Rule: 19100 "; classtype: tcp-connection; program: ossec; sid: 6019100; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX authentication success. (vmware_rules.xml:vmware)"; content: "Rule: 19110 "; classtype: not-suspicious; program: ossec; sid: 6019110; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX error messages. (vmware_rules.xml:vmware)"; content: "Rule: 19151 "; classtype: exploit-attempt; program: ossec; sid: 6019151; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX user authentication failure. (vmware_rules.xml:vmware)"; content: "Rule: 19113 "; classtype: not-suspicious; program: ossec; sid: 6019113; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX informational message. (vmware_rules.xml:vmware)"; content: "Rule: 19106 "; classtype: tcp-connection; program: ossec; sid: 6019106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX user authentication failures. (vmware_rules.xml:vmware)"; content: "Rule: 19153 "; classtype: exploit-attempt; program: ossec; sid: 6019153; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX user login. (vmware_rules.xml:vmware)"; content: "Rule: 19112 "; classtype: not-suspicious; program: ossec; sid: 6019112; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virtual machine state changed to ON. (vmware_rules.xml:vmware)"; content: "Rule: 19122 "; classtype: not-suspicious; program: ossec; sid: 6019122; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Virtual machine state changed to OFF. (vmware_rules.xml:vmware)"; content: "Rule: 19120 "; classtype: system-event; program: ossec; sid: 6019120; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMWare ESX syslog messages grouped. (vmware_rules.xml:vmware)"; content: "Rule: 19101 "; classtype: tcp-connection; program: ossec; sid: 6019101; rev:1;) ## Rule group: rules_config.xml:web-log ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all web rules. (rules_config.xml:web-log)"; content: "Rule: 04 "; classtype: tcp-connection; program: ossec; sid: 6000004; rev:1;) ## Rule group: syslog_rules.xml:syslog,fts ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time user logged in. (syslog_rules.xml:syslog,fts)"; content: "Rule: 10100 "; classtype: not-suspicious; program: ossec; sid: 6010100; rev:1;) ## Rule group: rules_config.xml:firewall ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all firewall rules. (rules_config.xml:firewall)"; content: "Rule: 02 "; classtype: tcp-connection; program: ossec; sid: 6000002; rev:1;) ## Rule group: sshd_rules.xml:syslog,sshd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - SSHD brute force trying to get access to the system. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5712 "; classtype: exploit-attempt; program: ossec; sid: 6005712; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Possible breakin attempt (high number of reverse lookup errors). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5703 "; classtype: exploit-attempt; program: ossec; sid: 6005703; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP or attack). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5702 "; classtype: system-event; program: ossec; sid: 6005702; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Corrupted bytes on SSHD. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5713 "; classtype: system-event; program: ossec; sid: 6005713; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - SSHD authentication failed. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5716 "; classtype: system-event; program: ossec; sid: 6005716; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SSHD authentication failures. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5720 "; classtype: exploit-attempt; program: ossec; sid: 6005720; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a non-existent user (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5710 "; classtype: system-event; program: ossec; sid: 6005710; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - SSHD authentication success. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5715 "; classtype: not-suspicious; program: ossec; sid: 6005715; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Timeout while logging in (sshd). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5704 "; classtype: not-suspicious; program: ossec; sid: 6005704; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - OpenSSH challenge-response exploit. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5707 "; classtype: exploit-attempt; program: ossec; sid: 6005707; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple access attempts using a denied user. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5719 "; classtype: exploit-attempt; program: ossec; sid: 6005719; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SSH insecure connection attempt (scan). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5706 "; classtype: system-event; program: ossec; sid: 6005706; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Useless SSHD message without an user/ip and context. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5709 "; classtype: tcp-connection; program: ossec; sid: 6005709; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - SSH CRC-32 Compensation attack (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5714 "; classtype: exploit-attempt; program: ossec; sid: 6005714; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Possible attack on the ssh server (or version gathering). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5701 "; classtype: system-event; program: ossec; sid: 6005701; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - SSHD configuration error (moduli). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5717 "; classtype: not-suspicious; program: ossec; sid: 6005717; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Possible scan or breakin attempt (high number of login timeouts). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5705 "; classtype: exploit-attempt; program: ossec; sid: 6005705; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SSHD messages grouped. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5700 "; classtype: tcp-connection; program: ossec; sid: 6005700; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Useless/Duplicated SSHD message without a user/ip. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5711 "; classtype: tcp-connection; program: ossec; sid: 6005711; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a denied user. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5718 "; classtype: system-event; program: ossec; sid: 6005718; rev:1;) ## Rule group: netscreenfw_rules.xml:netscreenfw ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall policy changed. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4508 "; classtype: system-event; program: ossec; sid: 6004508; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Netscreen warning message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4502 "; classtype: not-suspicious; program: ossec; sid: 6004502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4513 "; classtype: system-event; program: ossec; sid: 6004513; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Netscreen Erase sequence started. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4505 "; classtype: exploit-attempt; program: ossec; sid: 6004505; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Netscreen Firewall rules (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4500 "; classtype: tcp-connection; program: ossec; sid: 6004500; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration changed. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4509 "; classtype: system-event; program: ossec; sid: 6004509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen critical messages from same source IP. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4550 "; classtype: exploit-attempt; program: ossec; sid: 6004550; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4503 "; classtype: system-event; program: ossec; sid: 6004503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen alert messages. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4553 "; classtype: exploit-attempt; program: ossec; sid: 6004553; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Netscreen notification message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4501 "; classtype: not-suspicious; program: ossec; sid: 6004501; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen informational message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4504 "; classtype: system-event; program: ossec; sid: 6004504; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen critical messages. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4551 "; classtype: exploit-attempt; program: ossec; sid: 6004551; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4506 "; classtype: system-event; program: ossec; sid: 6004506; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4507 "; classtype: system-event; program: ossec; sid: 6004507; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen alert messages from same source IP. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4552 "; classtype: exploit-attempt; program: ossec; sid: 6004552; rev:1;) ## Rule group: pix_rules.xml:syslog,pix ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4330 "; classtype: system-event; program: ossec; sid: 6004330; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed login attempt at the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4321 "; classtype: system-event; program: ossec; sid: 6004321; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User created or modified on the Firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4342 "; classtype: system-event; program: ossec; sid: 6004342; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - AAA (VPN) authentication successful. (pix_rules.xml:syslog,pix)"; content: "Rule: 4335 "; classtype: not-suspicious; program: ossec; sid: 6004335; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Firewall command executed (for accounting only). (pix_rules.xml:syslog,pix)"; content: "Rule: 4341 "; classtype: not-suspicious; program: ossec; sid: 6004341; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX critical messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4381 "; classtype: exploit-attempt; program: ossec; sid: 6004381; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PIX alert message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4310 "; classtype: system-event; program: ossec; sid: 6004310; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration changed. (pix_rules.xml:syslog,pix)"; content: "Rule: 4340 "; classtype: system-event; program: ossec; sid: 6004340; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX alert messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4380 "; classtype: exploit-attempt; program: ossec; sid: 6004380; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Connection limit exceeded. (pix_rules.xml:syslog,pix)"; content: "Rule: 4327 "; classtype: system-event; program: ossec; sid: 6004327; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PIX error message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4312 "; classtype: not-suspicious; program: ossec; sid: 6004312; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attack in progress messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4385 "; classtype: exploit-attempt; program: ossec; sid: 6004385; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX warning messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4383 "; classtype: exploit-attempt; program: ossec; sid: 6004383; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration deleted. (pix_rules.xml:syslog,pix)"; content: "Rule: 4339 "; classtype: system-event; program: ossec; sid: 6004339; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall failover pair communication problem. (pix_rules.xml:syslog,pix)"; content: "Rule: 4338 "; classtype: system-event; program: ossec; sid: 6004338; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - The PIX is disallowing new connections. (pix_rules.xml:syslog,pix)"; content: "Rule: 4337 "; classtype: system-event; program: ossec; sid: 6004337; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4332 "; classtype: system-event; program: ossec; sid: 6004332; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX error messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4382 "; classtype: exploit-attempt; program: ossec; sid: 6004382; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PIX debug message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4315 "; classtype: tcp-connection; program: ossec; sid: 6004315; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Password mismatch while running 'enable' on the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4324 "; classtype: system-event; program: ossec; sid: 6004324; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4331 "; classtype: system-event; program: ossec; sid: 6004331; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PIX notification/informational message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4314 "; classtype: tcp-connection; program: ossec; sid: 6004314; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attempt to connect from a blocked (shunned) IP. (pix_rules.xml:syslog,pix)"; content: "Rule: 4326 "; classtype: system-event; program: ossec; sid: 6004326; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - AAA (VPN) user locked out. (pix_rules.xml:syslog,pix)"; content: "Rule: 4336 "; classtype: system-event; program: ossec; sid: 6004336; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PIX warning message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4313 "; classtype: not-suspicious; program: ossec; sid: 6004313; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4333 "; classtype: system-event; program: ossec; sid: 6004333; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful login to the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4323 "; classtype: not-suspicious; program: ossec; sid: 6004323; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Nultiple AAA (VPN) authentication failures. (pix_rules.xml:syslog,pix)"; content: "Rule: 4386 "; classtype: exploit-attempt; program: ossec; sid: 6004386; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Privilege changed in the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4322 "; classtype: not-suspicious; program: ossec; sid: 6004322; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - AAA (VPN) authentication failed. (pix_rules.xml:syslog,pix)"; content: "Rule: 4334 "; classtype: system-event; program: ossec; sid: 6004334; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of PIX rules (pix_rules.xml:syslog,pix)"; content: "Rule: 4300 "; classtype: tcp-connection; program: ossec; sid: 6004300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - ARP collision detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4325 "; classtype: system-event; program: ossec; sid: 6004325; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PIX critical message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4311 "; classtype: system-event; program: ossec; sid: 6004311; rev:1;) ## Rule group: syslog_rules.xml:syslog,mail ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring procmail messages. (syslog_rules.xml:syslog,mail)"; content: "Rule: 2701 "; classtype: tcp-connection; program: ossec; sid: 6002701; rev:1;) ## Rule group: syslog_rules.xml:syslog,xinetd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Excessive number connections to a service. (syslog_rules.xml:syslog,xinetd)"; content: "Rule: 2301 "; classtype: exploit-attempt; program: ossec; sid: 6002301; rev:1;) ## Rule group: syslog_rules.xml:syslog,access_control ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Connection to rshd from unprivileged port. Possible network scan. (syslog_rules.xml:syslog,access_control)"; content: "Rule: 2551 "; classtype: exploit-attempt; program: ossec; sid: 6002551; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - rshd messages grouped. (syslog_rules.xml:syslog,access_control)"; content: "Rule: 2550 "; classtype: tcp-connection; program: ossec; sid: 6002550; rev:1;) ## Rule group: syslog_rules.xml:syslog,dpkg ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Dpkg (Debian Package) log. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2900 "; classtype: tcp-connection; program: ossec; sid: 6002900; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New dpkg (Debian Package) requested to install. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2901 "; classtype: not-suspicious; program: ossec; sid: 6002901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Dpkg (Debian Package) removed. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2903 "; classtype: system-event; program: ossec; sid: 6002903; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - New dpkg (Debian Package) installed. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2902 "; classtype: system-event; program: ossec; sid: 6002902; rev:1;) ## Rule group: sonicwall_rules.xml:syslog,sonicwall ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple firewall error messages. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4851 "; classtype: exploit-attempt; program: ossec; sid: 6004851; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Firewall authentication failure. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4811 "; classtype: system-event; program: ossec; sid: 6004811; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall messages grouped. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4800 "; classtype: tcp-connection; program: ossec; sid: 6004800; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall notice message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4805 "; classtype: tcp-connection; program: ossec; sid: 6004805; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall informational message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4806 "; classtype: tcp-connection; program: ossec; sid: 6004806; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Firewall administrator login. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4810 "; classtype: not-suspicious; program: ossec; sid: 6004810; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4802 "; classtype: system-event; program: ossec; sid: 6004802; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple firewall warning messages. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4850 "; classtype: exploit-attempt; program: ossec; sid: 6004850; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - SonicWall error message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4803 "; classtype: not-suspicious; program: ossec; sid: 6004803; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - SonicWall warning message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4804 "; classtype: not-suspicious; program: ossec; sid: 6004804; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4801 "; classtype: system-event; program: ossec; sid: 6004801; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall debug message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4807 "; classtype: tcp-connection; program: ossec; sid: 6004807; rev:1;) ## Rule group: syslog_rules.xml:syslog,cron ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Crontab entry changed. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2832 "; classtype: system-event; program: ossec; sid: 6002832; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Root's crontab entry changed. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2833 "; classtype: system-event; program: ossec; sid: 6002833; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Crontab rule group. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2830 "; classtype: tcp-connection; program: ossec; sid: 6002830; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Crontab opened for editing. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2834 "; classtype: system-event; program: ossec; sid: 6002834; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Wrong crond configuration (syslog_rules.xml:syslog,cron)"; content: "Rule: 2831 "; classtype: tcp-connection; program: ossec; sid: 6002831; rev:1;) ## Rule group: squid_rules.xml:squid ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Squid generic error codes. (squid_rules.xml:squid)"; content: "Rule: 35002 "; classtype: not-suspicious; program: ossec; sid: 6035002; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to access a worm/trojan related site. (squid_rules.xml:squid)"; content: "Rule: 35022 "; classtype: system-event; program: ossec; sid: 6035022; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring multiple attempts from same source ip (alert only once). (squid_rules.xml:squid)"; content: "Rule: 35095 "; classtype: tcp-connection; program: ossec; sid: 6035095; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple unauthorized attempts to use proxy. (squid_rules.xml:squid)"; content: "Rule: 35052 "; classtype: exploit-attempt; program: ossec; sid: 6035052; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to access a Beagle worm (or variant) file. (squid_rules.xml:squid)"; content: "Rule: 35021 "; classtype: system-event; program: ossec; sid: 6035021; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Bad request/Invalid syntax. (squid_rules.xml:squid)"; content: "Rule: 35003 "; classtype: system-event; program: ossec; sid: 6035003; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Forbidden: Attempt to access forbidden file or directory. (squid_rules.xml:squid)"; content: "Rule: 35005 "; classtype: system-event; program: ossec; sid: 6035005; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Not Found: Attempt to access non-existent file or directory. (squid_rules.xml:squid)"; content: "Rule: 35006 "; classtype: system-event; program: ossec; sid: 6035006; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored files on a 40x error. (squid_rules.xml:squid)"; content: "Rule: 35023 "; classtype: tcp-connection; program: ossec; sid: 6035023; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Squid 503 error code (server unavailable). (squid_rules.xml:squid)"; content: "Rule: 35010 "; classtype: not-suspicious; program: ossec; sid: 6035010; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to access forbidden file or directory from same source ip. (squid_rules.xml:squid)"; content: "Rule: 35051 "; classtype: exploit-attempt; program: ossec; sid: 6035051; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Squid 500/600 error code (server error). (squid_rules.xml:squid)"; content: "Rule: 35009 "; classtype: system-event; program: ossec; sid: 6035009; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple 500/600 error codes (server error). (squid_rules.xml:squid)"; content: "Rule: 35058 "; classtype: exploit-attempt; program: ossec; sid: 6035058; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Squid 400 error code (request failed). (squid_rules.xml:squid)"; content: "Rule: 35008 "; classtype: system-event; program: ossec; sid: 6035008; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Bad requests/Invalid syntax. (squid_rules.xml:squid)"; content: "Rule: 35053 "; classtype: exploit-attempt; program: ossec; sid: 6035053; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid messages grouped. (squid_rules.xml:squid)"; content: "Rule: 35000 "; classtype: tcp-connection; program: ossec; sid: 6035000; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Proxy Authentication Required: User is not authorized to use proxy. (squid_rules.xml:squid)"; content: "Rule: 35007 "; classtype: system-event; program: ossec; sid: 6035007; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple attempts to access a worm/trojan/virus related web site. System probably infected. (squid_rules.xml:squid)"; content: "Rule: 35056 "; classtype: exploit-attempt; program: ossec; sid: 6035056; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple 400 error codes (requests failed). (squid_rules.xml:squid)"; content: "Rule: 35057 "; classtype: exploit-attempt; program: ossec; sid: 6035057; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Unauthorized: Failed attempt to access authorization-required file or directory. (squid_rules.xml:squid)"; content: "Rule: 35004 "; classtype: system-event; program: ossec; sid: 6035004; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Infected machine with W32.Beagle.DP. (squid_rules.xml:squid)"; content: "Rule: 35054 "; classtype: exploit-attempt; program: ossec; sid: 6035054; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to access a non-existent file. (squid_rules.xml:squid)"; content: "Rule: 35055 "; classtype: exploit-attempt; program: ossec; sid: 6035055; rev:1;) ## Rule group: vsftpd_rules.xml:syslog,vsftpd ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11451 "; classtype: exploit-attempt; program: ossec; sid: 6011451; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP connection attempts from same source IP. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11452 "; classtype: exploit-attempt; program: ossec; sid: 6011452; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the FTP server. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11403 "; classtype: system-event; program: ossec; sid: 6011403; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP session opened. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11401 "; classtype: not-suspicious; program: ossec; sid: 6011401; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP server file upload. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11404 "; classtype: tcp-connection; program: ossec; sid: 6011404; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11402 "; classtype: not-suspicious; program: ossec; sid: 6011402; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vsftpd rules. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11400 "; classtype: tcp-connection; program: ossec; sid: 6011400; rev:1;) ## Rule group: vmpop3d_rules.xml:syslog,vm-pop3d ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - POP3 brute force (multiple failed logins). (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9820 "; classtype: exploit-attempt; program: ossec; sid: 6009820; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vm-pop3d rules. (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9800 "; classtype: tcp-connection; program: ossec; sid: 6009800; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the pop3 server. (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9801 "; classtype: system-event; program: ossec; sid: 6009801; rev:1;) ## Rule group: zeus_rules.xml:zeus ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Zeus fatal log. (zeus_rules.xml:zeus)"; content: "Rule: 31204 "; classtype: exploit-attempt; program: ossec; sid: 6031204; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Zeus serious log. (zeus_rules.xml:zeus)"; content: "Rule: 31203 "; classtype: system-event; program: ossec; sid: 6031203; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Zeus rules. (zeus_rules.xml:zeus)"; content: "Rule: 31200 "; classtype: tcp-connection; program: ossec; sid: 6031200; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Zeus informational logs. (zeus_rules.xml:zeus)"; content: "Rule: 31201 "; classtype: tcp-connection; program: ossec; sid: 6031201; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Zeus warning log. (zeus_rules.xml:zeus)"; content: "Rule: 31202 "; classtype: not-suspicious; program: ossec; sid: 6031202; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Zeus warnings. (zeus_rules.xml:zeus)"; content: "Rule: 31251 "; classtype: exploit-attempt; program: ossec; sid: 6031251; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Configuration warning (ignored). (zeus_rules.xml:zeus)"; content: "Rule: 31206 "; classtype: tcp-connection; program: ossec; sid: 6031206; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Admin authentication failed. (zeus_rules.xml:zeus)"; content: "Rule: 31205 "; classtype: system-event; program: ossec; sid: 6031205; rev:1;) ## Rule group: pure-ftpd_rules.xml:syslog,pure-ftpd ## #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11309 "; classtype: not-suspicious; program: ossec; sid: 6011309; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP user logout/timeout (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11303 "; classtype: tcp-connection; program: ossec; sid: 6011303; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the pure-ftpd rules. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11300 "; classtype: tcp-connection; program: ossec; sid: 6011300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access invalid directory (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11305 "; classtype: system-event; program: ossec; sid: 6011305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP notice messages (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11304 "; classtype: tcp-connection; program: ossec; sid: 6011304; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New FTP connection. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11301 "; classtype: not-suspicious; program: ossec; sid: 6011301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP Authentication failed. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11302 "; classtype: system-event; program: ossec; sid: 6011302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11306 "; classtype: exploit-attempt; program: ossec; sid: 6011306; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11307 "; classtype: exploit-attempt; program: ossec; sid: 6011307; rev:1;) ## Rule group: smbd_rules.xml:syslog,smbd ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Samba network problems. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13101 "; classtype: tcp-connection; program: ossec; sid: 6013101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Samba network problems. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13103 "; classtype: tcp-connection; program: ossec; sid: 6013103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User action denied by configuration. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13104 "; classtype: system-event; program: ossec; sid: 6013104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Samba connection denied. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13102 "; classtype: system-event; program: ossec; sid: 6013102; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the smbd rules. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13100 "; classtype: tcp-connection; program: ossec; sid: 6013100; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Samba network problems (unable to connect). (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13105 "; classtype: not-suspicious; program: ossec; sid: 6013105; rev:1;) ## Rule group: syslog_rules.xml:syslog,errors ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - File system full. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1007 "; classtype: system-event; program: ossec; sid: 6001007; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Unknown problem somewhere in the system. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1002 "; classtype: not-suspicious; program: ossec; sid: 6001002; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - File missing. Root access unrestricted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1001 "; classtype: not-suspicious; program: ossec; sid: 6001001; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1005 "; classtype: system-event; program: ossec; sid: 6001005; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd exiting (logging stopped). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1004 "; classtype: system-event; program: ossec; sid: 6001004; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1006 "; classtype: system-event; program: ossec; sid: 6001006; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - Non standard syslog message (size too large). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1003 "; classtype: exploit-attempt; program: ossec; sid: 6001003; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Process exiting (killed). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1008 "; classtype: system-event; program: ossec; sid: 6001008; rev:1;) ## Rule group: syslog_rules.xml:syslog,sudo ## #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time user executed sudo. (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5403 "; classtype: not-suspicious; program: ossec; sid: 6005403; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial group for sudo messages (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5400 "; classtype: tcp-connection; program: ossec; sid: 6005400; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Three failed attempts to run sudo (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5401 "; classtype: exploit-attempt; program: ossec; sid: 6005401; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful sudo to ROOT executed (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5402 "; classtype: not-suspicious; program: ossec; sid: 6005402; rev:1;) ## Rule group: vpopmail_rules.xml:syslog,vpopmail ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Vpopmail brute force (multiple failed logins). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9951 "; classtype: exploit-attempt; program: ossec; sid: 6009951; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login to vpopmail with invalid username. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9902 "; classtype: system-event; program: ossec; sid: 6009902; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login to vpopmail with empty password. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9903 "; classtype: system-event; program: ossec; sid: 6009903; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vpopmail rules. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9900 "; classtype: tcp-connection; program: ossec; sid: 6009900; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - VPOPMAIL brute force (empty password). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9953 "; classtype: exploit-attempt; program: ossec; sid: 6009953; rev:1;) #(Level 1) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 1 - Vpopmail successful login. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9904 "; classtype: not-suspicious; program: ossec; sid: 6009904; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed for vpopmail. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9901 "; classtype: system-event; program: ossec; sid: 6009901; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Vpopmail brute force (email harvesting). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9952 "; classtype: exploit-attempt; program: ossec; sid: 6009952; rev:1;) ## Rule group: mcafee_av_rules.xml:mcafee ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update failed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 07512 "; classtype: system-event; program: ossec; sid: 6007512; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus detected and file will be deleted. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7506 "; classtype: system-event; program: ossec; sid: 6007506; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Scan completed with no viruses found. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7508 "; classtype: not-suspicious; program: ossec; sid: 6007508; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple McAfee AV warning events. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7550 "; classtype: exploit-attempt; program: ossec; sid: 6007550; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update cancelled. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7513 "; classtype: system-event; program: ossec; sid: 6007513; rev:1;) #(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - McAfee Windows AV informational event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7501 "; classtype: not-suspicious; program: ossec; sid: 6007501; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - McAfee Windows AV - Virus detected and not removed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7504 "; classtype: exploit-attempt; program: ossec; sid: 6007504; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV warning event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7502 "; classtype: not-suspicious; program: ossec; sid: 6007502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus scan cancelled. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7509 "; classtype: system-event; program: ossec; sid: 6007509; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - McAfee Windows AV - EICAR test file detected. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7514 "; classtype: system-event; program: ossec; sid: 6007514; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - McAfee Windows AV error event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7503 "; classtype: not-suspicious; program: ossec; sid: 6007503; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Scan started or stopped. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7507 "; classtype: not-suspicious; program: ossec; sid: 6007507; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of McAfee Windows AV rules. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7500 "; classtype: tcp-connection; program: ossec; sid: 6007500; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Virus program or DAT update succeeded. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7511 "; classtype: not-suspicious; program: ossec; sid: 6007511; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus detected and properly removed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7505 "; classtype: system-event; program: ossec; sid: 6007505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - McAfee Windows AV - Virus scan cancelled due to shutdown. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7510 "; classtype: system-event; program: ossec; sid: 6007510; rev:1;) ## Rule group: firewall_rules.xml:firewall ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Firewall drop events from same source. (firewall_rules.xml:firewall)"; content: "Rule: 4151 "; classtype: exploit-attempt; program: ossec; sid: 6004151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Firewall drop event. (firewall_rules.xml:firewall)"; content: "Rule: 4101 "; classtype: system-event; program: ossec; sid: 6004101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Firewall rules grouped. (firewall_rules.xml:firewall)"; content: "Rule: 4100 "; classtype: tcp-connection; program: ossec; sid: 6004100; rev:1;) ## Rule group: hordeimp_rules.xml:syslog,hordeimp ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Horde emergency messages. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9352 "; classtype: exploit-attempt; program: ossec; sid: 6009352; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Horde IMP successful login. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9305 "; classtype: not-suspicious; program: ossec; sid: 6009305; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Horde imp rules. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9300 "; classtype: tcp-connection; program: ossec; sid: 6009300; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Horde IMP emergency message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9304 "; classtype: system-event; program: ossec; sid: 6009304; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Horde IMP informational message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9301 "; classtype: tcp-connection; program: ossec; sid: 6009301; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Horde IMP Failed login. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9306 "; classtype: system-event; program: ossec; sid: 6009306; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Horde IMP notice message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9302 "; classtype: not-suspicious; program: ossec; sid: 6009302; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Horde IMP error message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9303 "; classtype: system-event; program: ossec; sid: 6009303; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Horde brute force (multiple failed logins). (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9351 "; classtype: exploit-attempt; program: ossec; sid: 6009351; rev:1;) ## Rule group: rules_config.xml:syslog ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all syslog rules. (rules_config.xml:syslog)"; content: "Rule: 01 "; classtype: tcp-connection; program: ossec; sid: 6000001; rev:1;) ## Rule group: pam_rules.xml:pam,syslog ## #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the pam_unix rules. (pam_rules.xml:pam,syslog)"; content: "Rule: 5500 "; classtype: tcp-connection; program: ossec; sid: 6005500; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring Annoying Ubuntu/debian cron login events. (pam_rules.xml:pam,syslog)"; content: "Rule: 5521 "; classtype: tcp-connection; program: ossec; sid: 6005521; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User login failed. (pam_rules.xml:pam,syslog)"; content: "Rule: 5503 "; classtype: system-event; program: ossec; sid: 6005503; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring Annoying Ubuntu/debian cron login events. (pam_rules.xml:pam,syslog)"; content: "Rule: 5522 "; classtype: tcp-connection; program: ossec; sid: 6005522; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login with an invalid user. (pam_rules.xml:pam,syslog)"; content: "Rule: 5504 "; classtype: system-event; program: ossec; sid: 6005504; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins in a small period of time. (pam_rules.xml:pam,syslog)"; content: "Rule: 5551 "; classtype: exploit-attempt; program: ossec; sid: 6005551; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session opened. (pam_rules.xml:pam,syslog)"; content: "Rule: 5501 "; classtype: not-suspicious; program: ossec; sid: 6005501; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session closed. (pam_rules.xml:pam,syslog)"; content: "Rule: 5502 "; classtype: not-suspicious; program: ossec; sid: 6005502; rev:1;) ## Rule group: ms-se_rules.xml:windows,mse ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Microsoft Security Essentials - Virus detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7712 "; classtype: system-event; program: ossec; sid: 6007712; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Microsoft Security Essentials - Virus detected and properly removed. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7711 "; classtype: system-event; program: ossec; sid: 6007711; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Microsoft Security Essentials - Configuration changed. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7720 "; classtype: not-suspicious; program: ossec; sid: 6007720; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Microsoft Security Essentials - Virus detected, but unable to remove. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7710 "; classtype: exploit-attempt; program: ossec; sid: 6007710; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Microsoft Security Essentials rules. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7701 "; classtype: tcp-connection; program: ossec; sid: 6007701; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Microsoft Security Essentials - EICAR test file detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7731 "; classtype: system-event; program: ossec; sid: 6007731; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7750 "; classtype: exploit-attempt; program: ossec; sid: 6007750; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7751 "; classtype: exploit-attempt; program: ossec; sid: 6007751; rev:1;) ## Rule group: cimserver_rules.xml:syslog,cimserver ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Compaq Insight Manager stopped. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9611 "; classtype: exploit-attempt; program: ossec; sid: 6009611; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - cimserver messages grouped. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9600 "; classtype: tcp-connection; program: ossec; sid: 6009600; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Compaq Insight Manager authentication failure. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9610 "; classtype: system-event; program: ossec; sid: 6009610; rev:1;) ## Rule group: sendmail_rules.xml:syslog,sendmail ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attepmt to use mail server as relay (550: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3104 "; classtype: system-event; program: ossec; sid: 6003104; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple relaying attempts of spam. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3153 "; classtype: system-event; program: ossec; sid: 6003153; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Rejected by access list (55x: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3103 "; classtype: system-event; program: ossec; sid: 6003103; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain does not have any valid MX record (Requested action aborted). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3102 "; classtype: system-event; program: ossec; sid: 6003102; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple pre-greetings rejects. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3158 "; classtype: exploit-attempt; program: ossec; sid: 6003158; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Sendmail save mail panic. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3109 "; classtype: system-event; program: ossec; sid: 6003109; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts to send e-mail from a previously rejected sender (access). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3152 "; classtype: system-event; program: ossec; sid: 6003152; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain is not found (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3105 "; classtype: system-event; program: ossec; sid: 6003105; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Sender domain has bogus MX record. It should not be sending e-mail. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3151 "; classtype: exploit-attempt; program: ossec; sid: 6003151; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Sendmail rejected due to pre-greeting. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3108 "; classtype: system-event; program: ossec; sid: 6003108; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender address does not have domain (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3106 "; classtype: system-event; program: ossec; sid: 6003106; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3154 "; classtype: exploit-attempt; program: ossec; sid: 6003154; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the smf-sav sendmail milter rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3190 "; classtype: tcp-connection; program: ossec; sid: 6003190; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SMF-SAV sendmail milter unable to verify address (REJECTED). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3191 "; classtype: system-event; program: ossec; sid: 6003191; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3155 "; classtype: exploit-attempt; program: ossec; sid: 6003155; rev:1;) #(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Sendmail rejected message. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3107 "; classtype: not-suspicious; program: ossec; sid: 6003107; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the sendmail reject rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3101 "; classtype: tcp-connection; program: ossec; sid: 6003101; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the sendmail rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3100 "; classtype: tcp-connection; program: ossec; sid: 6003100; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple rejected e-mails from same source ip. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3156 "; classtype: exploit-attempt; program: ossec; sid: 6003156; rev:1;) ## Rule group: wordpress_rules.xml:syslog,wordpress ## alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Wordpress Comment Flood Attempt. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9505 "; classtype: system-event; program: ossec; sid: 6009505; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Wordpress authentication failed. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9501 "; classtype: system-event; program: ossec; sid: 6009501; rev:1;) #(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Wordpress messages grouped. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9500 "; classtype: tcp-connection; program: ossec; sid: 6009500; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Wordpress authentication succeeded. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9502 "; classtype: not-suspicious; program: ossec; sid: 6009502; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Attack against Wordpress detected. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9510 "; classtype: system-event; program: ossec; sid: 6009510; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - WPsyslog was successfully initialized. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9503 "; classtype: not-suspicious; program: ossec; sid: 6009503; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple wordpress authentication failures. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9551 "; classtype: exploit-attempt; program: ossec; sid: 6009551; rev:1;) #(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Wordpress plugin deactivated. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9504 "; classtype: not-suspicious; program: ossec; sid: 6009504; rev:1;) rules/fortinet-aetas.rules0000664000175000017500000000622412612177151015164 0ustar champchamp# Sagan fortinet-aetas.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Login accepted at suspicious time"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002043; sid: 5002043; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Administrator Login at suspicious time"; content: "32001 type="; content: "logged in"; parse_src_ip: 1; classtype: successful-admin; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002044; sid: 5002044; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Admin authentication access at suspicious time"; content: "38001 type="; content: "succeeded in authentication"; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002045; sid: 5002045; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] SSH traffic detected at suspicious time"; content: " service=SSH "; classtype: suspicious-traffic; parse_src_ip: 1; parse_dst_ip: 2; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; reference: url,wiki.quadrantsec.com/bin/view/Main/5002046; sid: 5002046; rev:3;) rules/proftpd-geoip.rules0000664000175000017500000000410012612177151015005 0ustar champchamp# Sagan proftpd-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[PROFTPD-GEOIP] Authentication success from outside HOME_COUNTRY"; content: "Login successful"; country_code: track by_src, isnot $HOME_COUNTRY; parse_src_ip: 3; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5001870; sid: 5001870; rev:4;) rules/cisco-malware.rules0000664000175000017500000002172012612177151014763 0ustar champchamp# Sagan cisco-malware.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Added by Champ Clark - # These rules trigger if you are dropping (denying) traffic to zeroaccess already. alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16464 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001724; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001724; rev: 6;) alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16465 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001725; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001725; rev: 6;) alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16470 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001726; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001726; rev: 6;) alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/16471 by access-group"; content: "Deny udp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001727; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001727; rev: 6;) # Older TCP port 13620 (pre-Q2 2012) alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[CISCO-MALWARE] ZeroAccess pre-2012 TCP port 13620 detected [denied] [5/5]"; program: %ASA-4-106023|%PIX-4-106023; content: "/13620 by access-group"; content: "Deny tcp src inside"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001790; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001790; rev: 7;) alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16464 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16464 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001858; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001858; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16465 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16465 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16465 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001859; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001859; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16470 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16470 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001860; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001860; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16471 (msg: "[CISCO-MALWARE] ZeroAccess UDP port 16471 detected [allowed] [5/5]"; program: %ASA-6-302015|%PIX-6-302015; content: "/16470 "; content: "outbound UDP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001861; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001861; rev: 3;) # Older TCP port 13620 (pre-Q2 2012) alert tcp $HOME_NET any -> $EXTERNAL_NET 13620 (msg: "[CISCO-MALWARE] ZeroAccess TCP port 13620 detected [allowed] [5/5]"; program: %ASA-6-302013|%PIX-6-302013; content: "/13620 "; content: "outbound TCP"; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001862; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001862; rev: 3;) # 10.20.1.7|local7|info|info|be|2014-02-19|20:25:11|344306| Feb 19 15:25:11.570: %SEC-6-IPACCESSLOGP: list control_outbound denied tcp 10.3.2.3(4343) -> 10.99.0.7(50122), 2 packets alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16464 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16464|29|"; content: " udp "; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001965; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001965; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16465 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16465|29|"; content: " udp "; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001966; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001966; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16470 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16470|29|"; content: " udp "; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001967; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001967; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ACE ZeroAccess UDP port 16471 detected [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|16471|29|"; content: " udp "; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001968; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001968; rev: 3;) alert udp $HOME_NET any -> $EXTERNAL_NET 16464 (msg: "[CISCO-MALWARE] ACE ZeroAccess pre-2012 TCP port 13620 [5/5]"; content: "%SEC-6-IPACCESSLOGP:"; content: "|28|13620|29|"; content: " tcp "; classtype: trojan-activity; reference: url, wiki.quadrantsec.com/bin/view/Main/5001969; parse_src_ip: 1; parse_dst_ip: 2; parse_port; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 5, seconds 300; sid: 5001969; rev: 3;) rules/huawei.rules0000664000175000017500000004134612612177151013525 0ustar champchamp# Sagan huawei.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # Huawei router rules. Create by Robert Nunley (rnunley@quadrantsec.com) # 08/06/2012 alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ARP_DUPLICATE_IPADDR"; content: "ARP/4/ARP_DUPLICATE_IPADDR"; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001533; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 68 (msg:"[HUAWEI] DHCPC_LOG_NAK"; content: "DHCPC/4/DHCPC_LOG_NAK"; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001534; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 68 (msg:"[HUAWEI] DHCPC_LOG_REQIP_SUCCESS"; content: "DHCPC/4/DHCPC_LOG_REQIP_SUCCESS"; content: "has acquired ip address successfully"; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001535; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET 68 (msg:"[HUAWEI] DHCPC_LOG_REQIP_SUCCESS"; content: "DHCPC/4/DHCPC_LOG_REQIP_SUCCESS"; content: "vlan"; content: "has acquired ip address successfully"; classtype: suspicious-traffic; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001536; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] FTPS - USERIN Login successful"; content: "FTPS/4/USERIN"; content: "login succeeded"; classtype: successful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001537; rev:2) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] FTPS - USERIN Login failed"; content: "FTPS/4/USERIN"; content: "login failed"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001538; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] FTPS - USEROUT Logout"; content: "FTPS/4/USEROUT"; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001539; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] FTPS - RECVDATA"; content: "FTPS/5/RECVDATA"; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001540; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] FTPS - REQUEST"; content: "FTPS/5/REQUEST"; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001541; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] FTPS - SENDDATA"; content: "FTPS/5/SENDDATA"; classtype: not-suspicious; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001542; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[HUAWEI] HTTPD - FAIL"; content: "HTTPD/4/FAIL"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001543; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[HUAWEI] HTTPD - OUT"; content: "HTTPD/4/OUT"; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001544; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg:"[HUAWEI] HTTPD - PASS"; content: "HTTPD/4/PASS"; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001545; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - IP spoof attack"; content: "SEC/4/ATCKDF"; content: "IP spoof attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001546; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Fraggle attack"; content: "SEC/4/ATCKDF"; content: "fraggle attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001547; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Smurf attack"; content: "SEC/4/ATCKDF"; content: "Smurf attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001548; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Land attack"; content: "SEC/4/ATCKDF"; content: "land attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001549; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Time stamp attack"; content: "SEC/4/ATCKDF"; content: "Time stamp attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001550; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip options attack"; content: "SEC/4/ATCKDF"; content: "Ip options attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001551; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip option source route attack"; content: "SEC/4/ATCKDF"; content: "Ip option source route attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001552; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - ICMP flood attack"; content: "SEC/4/ATCKDF"; content: "ICMP flood attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001553; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Redirect attack"; content: "SEC/4/ATCKDF"; content: "Redirect attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001554; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - TCP flood attack"; content: "SEC/4/ATCKDF"; content: "TCP flood attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001555; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"[HUAWEI] ATCKDF - Winnuke attack"; content: "SEC/4/ATCKDF"; content: "Winnuke attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001556; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ping of death attack"; content: "SEC/4/ATCKDF"; content: "Ping of death attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001557; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Tear drop attack"; content: "SEC/4/ATCKDF"; content: "Tear drop attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001558; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Trace route attack"; content: "SEC/4/ATCKDF"; content: "Trace route attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001559; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Ip options route record attack"; content: "SEC/4/ATCKDF"; content: "Ip options route record attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001560; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Port scan attack"; content: "SEC/4/ATCKDF"; content: "Port scan attack"; classtype: network-scan; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001561; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Unreachable attack"; content: "SEC/4/ATCKDF"; content: "Unreachable attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001562; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - UDP flood attack"; content: "SEC/4/ATCKDF"; content: "Udp flood attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001563; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Syn flood attack"; content: "SEC/4/ATCKDF"; content: "Syn flood attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001564; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Other-protocol attack"; content: "SEC/4/ATCKDF"; content: "other-protocol attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001565; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Large ICMP attack"; content: "SEC/4/ATCKDF"; content: "Large ICMP attack"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001566; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - IP Fragment attack"; content: "SEC/4/ATCKDF"; content: "IP Fragment attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001567; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"[HUAWEI] ATCKDF - Ftp Bounce attack"; content: "SEC/4/ATCKDF"; content: "Ftp Bounce attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001568; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Too much Half Con of SYN Flood"; content: "SEC/4/ATCKDF"; content: "Too much Half Con of SYN Flood"; classtype: attempted-dos; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001569; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] ATCKDF - Tcp flag attack"; content: "SEC/4/ATCKDF"; content: "Tcp flag attack"; classtype: misc-attack; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001570; rev:1;) #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BIND - VPN bound IP address"; content: "SEC/4/BIND"; content: "vpn:"; content: "is binded to Ip Address"; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001571; rev:1;) #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BIND - VPN unbound IP address"; content: "SEC/4/BIND"; content: "vpn:"; content: "is unbinded to Ip Address"; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001572; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - VPN added to blacklist"; content: "SEC/4/BLACKLIST"; content: "is added to blacklist"; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001573; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - VPN removed from blacklist"; content: "SEC/4/BLACKLIST"; content: "is removed from blacklist"; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001574; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] BLACKLIST - Blacklist cleared"; content: "SEC/4/BLACKLIST"; content: "Clear All blacklist"; classtype: configuration-change; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001575; rev:1;) #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] SESSION"; content: "SEC/4/SESSION"; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001576; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"[HUAWEI] SHELL - LOGIN"; content: "SHELL/4/LOGIN "; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001577; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"[HUAWEI] SHELL - LOGIN_FAIL"; content: "SHELL/4/LOGIN_FAIL"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001578; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"[HUAWEI] SHELL - LOGOUT"; content: "SHELL/4/LOGOUT"; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001579; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"[HUAWEI] SHELL - CMD"; content: "SHELL/4/CMD"; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001580; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] FanAbnormal"; content: "SRM/3/FanAbnormal"; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001581; rev:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VentTemp2Hot"; content: "SRM/3/VentTemp2Hot"; classtype: hardware-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001582; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - add_success"; content: "SSH/4/add_success"; classtype: system-event; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001583; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL"; content: "SSH/4/LOGIN_FAIL "; classtype: attempted-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001584; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL - Brute force [5/5]"; content: "SSH/4/LOGIN_FAIL "; classtype: unsuccessful-user; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; parse_src_ip: 1; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001592; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_CHALLENGE_ERR"; content: "SSH/4/LOGIN_FAIL_CHALLENGE_ERR"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001585; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_COOKIE_ERR"; content: "SSH/4/LOGIN_FAIL_COOKIE_ERR"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001586; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_DISSCONNECT"; content: "SSH/4/LOGIN_FAIL_DISSCONNECT"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001587; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_PWD_ERR"; content: "SSH/4/LOGIN_FAIL_PWD_ERR"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001588; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_RETRY_OUT"; content: "SSH/4/LOGIN_FAIL_RETRY_OUT"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001589; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] SSH - LOGIN_FAIL_RSA_ERR"; content: "SSH/4/LOGIN_FAIL_RSA_ERR"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001590; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[HUAWEI] VRRP - LogAuthFailed"; content: "VRRP/3/LogAuthFailed"; classtype: unsuccessful-user; reference: url, huaweisymantec.com/en/download.do?id=658891; sid: 5001591; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[HUAWEI] USER_NOT_EXIST"; content:"SSH/4/LOGIN_FAIL_USER_NOT_EXIST"; classtype: unsuccessful-user; threshold: type limit, track by_src, count 5, seconds 300; reference: url, http://www.huaweisymantec.com/en//download.do?id=658891; sid: 5001532; rev:4;) rules/openssh-geoip.rules0000664000175000017500000000632712612177151015023 0ustar champchamp# Sagan openssh-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Not getting the source IP addresses that you'd expect? Then you probably # have OpenSSH's "UseDNS" set to "Yes" in your sshd_config file. You'll # need to set that to "No" so Sagan can "find" the source IP addresses and # port information. # 10.1.7.2|authpriv|info|info|56|2013-12-02|14:21:19|sshd| Accepted password for bob from 10.1.16.1 port 51860 ssh2 alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via password from outside HOME_COUNTRY"; content: "Accepted password"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001874; normalize: openssh; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001874; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via publickey from outside HOME_COUNTRY"; content: "Accepted publickey"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001875; normalize: openssh; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001875; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[OPENSSH-GEOIP] Authentication success via keyboard from outside HOME_COUNTRY"; content: "Accepted keyboard-interactive"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001876; normalize: openssh; program: sshd; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001876; rev:1;) rules/vpopmail.rules0000664000175000017500000000550712612177151014071 0ustar champchamp# Sagan vpopmail.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[VPOPMAIL] Authentication failure for POP3 service"; content: "password fail"; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000211; sid: 5000211; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[VPOPMAIL] User not found/Invalid login for POP3 service"; content: "vpopmail user not found"; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000212; sid: 5000212; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[VPOPMAIL] Successful POP3 login"; content: "login success"; classtype: successful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000213; sid: 5000213; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $POP3_PORT (msg:"[VPOPMAIL] Null password given for POP3 service"; content: "null password given"; classtype: unsuccessful-user; program: vpopmail; reference: url,wiki.quadrantsec.com/bin/view/Main/5000214; sid: 5000214; rev:3;) rules/imapd.rules0000664000175000017500000000550312612177151013330 0ustar champchamp# Sagan imapd.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] User login failed"; pcre: "/Login failed user=|AUTHENTICATE LOGIN failure/i"; classtype: unsuccessful-user; parse_src_ip: 1; program: imapd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000367; sid: 5000367; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] Successful login"; content: "Authenticated user="; classtype: successful-user; program: imapd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000262; sid: 5000262; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] User logout"; content: "Logout user="; classtype: not-suspicious; program: imapd; normalize: imap; reference: url,wiki.quadrantsec.com/bin/view/Main/5000276; sid:5000276; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $IMAP_PORT (msg: "[IMAPD] Exessive login failures"; content: "Login excessive login"; classtype: unsuccessful-user; program: imapd; normalize: imap; reference: url,wiki.quadrantsec.com/bin/view/Main/5001078; sid: 5001078; rev:3;) rules/juniper.rules0000664000175000017500000004363112612177151013716 0ustar champchamp# Sagan juniper.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # Submitted by Brad Doctor (July 2nd, 2010). alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] AS group missing"; content: "no group for"; content:"from AS"; classtype: network-event; sid: 5000888; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Duplicate IP address"; content: "KERN_ARP_DUPLICATE_ADDR"; classtype: network-event; sid: 5000889; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] BGP missing MD5 digest"; content: "missing MD5 digest"; classtype: network-event; sid: 5000890; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] ARP address change"; content: "KERN_ARP_ADDR_CHANGE"; classtype: network-event; sid: 5000891; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] BGP no route to host"; content: "bgp_connect_start"; content:"No route to host"; classtype: network-event; sid: 5000892; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Login authentication error"; content: "LOGIN_PAM_AUTHENTICATION_ERROR"; content:"PAM authentication error for user"; classtype: network-event; sid: 5000893; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible authentication dictionary attack"; content: "LOGIN_INVALID_LOCAL_USER"; content:"No entry in local password"; classtype: network-event; sid: 5000894; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SONET Alarm"; content: "Asserting SONET alarm"; classtype: network-event; sid: 5000895; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Possible SONET ring failure"; content: "Major alarm set"; content:"SONET path remote failure indicator";classtype: network-event; sid: 5000896; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SDH Alarm"; content: "Asserting SDH alarm"; classtype: network-event; sid: 5000897; threshold:type limit, track by_src, count 5, seconds 120; rev:1;) # Champ Clark (03/01/2013) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_ATTEMPTS_THRESHOLD - Brute Force"; content: "SSHD_LOGIN_ATTEMPTS_THRESHOLD"; program: sshd; classtype: unsuccessful-user; sid: 5001642; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001642; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED_LIMIT - Brute Force"; content: "SSHD_LOGIN_FAILED_LIMIT"; parse_src_ip: 1; program: sshd; classtype: unsuccessful-user; sid: 5001643; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001643; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; classtype: unsuccessful-user; sid: 5001644; reference: url,wiki.quadrantsec.com/bin/view/Main/5001644; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] SSHD_LOGIN_FAILED - Brute force [5/5]"; content: "SSHD_LOGIN_FAILED"; program: sshd; parse_src_ip: 1; classtype: unsuccessful-user; sid: 5001645; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001645; rev:3;) # Juniper Netscreens alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Fragmented traffic"; program: Netscreen; content: "Fragmented traffic"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000396; sid: 5000396; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] FIN but no ACK bit"; program: Netscreen; content: "FIN but no ACK bit"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000397; sid: 5000397; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Port scan!"; program: Netscreen; content: "Port scan"; classtype: network-scan; reference: url,wiki.quadrantsec.com/bin/view/Main/5000398; sid: 5000398; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] ICMP fragment"; program: Netscreen; content: "ICMP fragment"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000399; sid: 5000399; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Malicious URL"; program: Netscreen; content: "Malicious URL"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000400; sid: 5000400; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Large ICMP packet"; program: Netscreen; content: "Large ICMP packet"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000401; sid: 5000401; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] No tcp flag has been detected"; program: Netscreen; content: "No tcp flag has been detected"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5000402; sid: 5000402; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Denied traffic"; program: Netscreen; content: "action=Deny"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000403; sid: 5000403; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Syslog enabled"; program: Netscreen; content: "Syslog has been enabled"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000404; sid:5000404; rev:1;) # Juniper Intrusion Prevention System Signatures by Iman Khosravi alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] The scheduled IDP security package update failed to start"; content: "IDP_SCHEDULEDUPDATE_START_FAILED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001129; sid: 5001129; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP daemon encountered an internal error"; content: "IDP_INTERNAL_ERROR"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001130; sid: 5001130; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] An attempt to start IDP policy daemon failed"; content: "IDP_DAEMON_INIT_FAILED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001131; sid: 5001131; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP Attack log generated for attack"; content: "IDP_ATTACK_LOG_EVENT"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001132; sid: 5001132; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP Attack log generated for attack in a logical system"; content: "IDP_ATTACK_LOG_EVENT_LS"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001133; sid: 5001133; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP policy commit has completed"; content: "IDP_COMMIT_COMPLETED"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001134; sid: 5001134; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] There was an error while trying to commit the active policy in IDPD"; content: "IDP_COMMIT_FAILED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001135; sid: 5001135; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP IPv6 support is not enabled for the rulebase"; content: "IDP_IGNORED_IPV6_ADDRESSES"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001136; sid: 5001136; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP policy compiler encountered an error while compiling or packaging the policy"; content: "IDP_POLICY_COMPILATION_FAILED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001137; sid: 5001137; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A compiled and optimized IDP policy could not be loaded into IDP engine"; content: "IDP_POLICY_LOAD_FAILED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001138; sid: 5001138; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A compiled and optimized IDP policy was loaded successfully into the IDP engine"; content: "IDP_POLICY_LOAD_SUCCEEDED"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001139; sid: 5001139; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A running IDP policy could not be unloaded from IDP engine"; content: "IDP_POLICY_UNLOAD_FAILED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001140; sid: 5001140; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] A running IDP policy was unloaded successfully from the IDP engine"; content: "DP_POLICY_UNLOAD_SUCCEEDED"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001141; sid: 5001141; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] The scheduled IDP security package update has started"; content: "IDP_SCHEDULED_UPDATE_STARTED"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001142; sid: 5001142; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP background process has returned the security package install result"; content: "IDP_SECURITY_INSTALL_RESULT"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001143; sid: 5001143; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP session threshold crossing event"; content: "IDP_SESSION_LOG_EVENT"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001144; sid: 5001144; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP session threshold crossing event in a logical system"; content: "IDP_SESSION_LOG_EVENT_LS"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001145; sid: 5001145; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] IDP signature update license key has expired"; content: "IDP_SIGNATURE_LICENSE_EXPIRED"; classtype: program-error; reference: url,wiki.quadrantsec.com/bin/view/Main/5001146; sid: 5001146; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred"; content: "IDP_APPDDOS_APP_STATE_EVENT"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001147; sid: 5001147; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] application-level distributed denial-of-service (AppDDoS) state transition occurred in logical system"; content: "IDP_APPDDOS_APP_STATE_EVENT_LS"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001148; sid: 5001148; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack in a logical system"; content: "IDP_APPDDOS_APP_ATTACK_EVENT_LS"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001149; sid: 5001149; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[JUNIPER] Application-level distributed denial-of-service (AppDDoS) attack"; content: "IDP_APPDDOS_APP_ATTACK_EVENT"; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5001150; sid: 5001150; rev:1;) # Additional Juniper Netscreen rules by Adam Hall (ahall@quadrantsec.com) # 09/18/2012 alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] SYN Flood"; program: Netscreen; content: "SYN flood"; classtype: denial-of-service; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001611; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Teardrop attack"; program: Netscreen; content: "Teardrop Attack"; classtype: denial-of-service; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001612; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] IP spoofing"; program: Netscreen; content: "IP spoofing"; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001613; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] ICMP flood"; program: Netscreen; content: "ICMP flood"; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001614; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] SYN fragment"; program: Netscreen; content: "SYN fragment"; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001615; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Unknown protocol"; program: Netscreen; content: "Unknown protocol"; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001616; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Bad IP option"; program: Netscreen; content: "Bad IP option"; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001617; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] SYN-ACK-ACK"; program: Netscreen; content: "SYN-ACK-ACK"; classtype: suspicious-traffic; parse_src_ip: 1; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001618; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[NETSCREEN] Connection refused by the DNS"; program: Netscreen; content: "Connection refused by the DNS"; classtype: suspicious-traffic; reference: url,www.juniper.net/techpubs/software/screenos/screenos5.2.0/NS_Messages.pdf; sid: 5001619; rev:1;) # Juniper VPN devices - Champ Clark (cclark@quadrantsec.com) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Login failed"; program: Juniper; pcre: "/ Login failed | authentication failed /"; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002022; sid: 5002022; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Login failed - Brute Force [10/5]"; program: Juniper; pcre: "/ Login failed | authentication failed /i"; parse_src_ip: 1; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002023; sid: 5002023; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] Possible VPN Login bypass attempt"; program: Juniper; content: "not authenticated yet"; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002024; sid: 5002024; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN Unable to download virus signatures"; program: Juniper; content: "Unable to download current virus"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5002025; sid: 5002025; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN - Possible scan/probe"; program: Juniper; content: "SSL negotiation failed"; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; classtype: suspicious-traffic; reference: url,wiki.quadrantsec.com/bin/view/Main/5002026; sid: 5002026; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTPS_PORT (msg: "[JUNIPER] VPN - Policy violation"; program: Juniper; content: "Host Checker policy"; parse_src_ip: 1; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5002027; sid: 5002027; rev:1;) rules/bro-intel.rules0000664000175000017500000000432312612177151014130 0ustar champchamp# Sagan bro-intel.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # These are CATCH ALL rules. This means it will parse _all_ logs. alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[BRO-INTEL] Suspicious communications detected via Bro-Intel"; bro-intel: all; classtype: suspicious-traffic; after: track by_src, count 5, seconds 30; threshold: type limit, track by_src, count 10, seconds 60; parse_src_ip: 1; parse_dst_ip: 2; normalize: all; parse_proto; parse_proto_program; reference: url,wiki.quadrantsec.com/bin/view/Main/5002270; sid: 5002270; rev:1;) rules/adtran.rules0000664000175000017500000000450212612177151013505 0ustar champchamp# Sagan adtran.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Adtran rules by James Lay - 06/25/2012 (actually, added well before that.. hrmph). alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] TCP INTERNAL BLOCK"; content: "Access Policy"; content: "tcp"; program: FIREWALL; normalize: adtran; classtype: bad-unknown; sid:5001126; reference: url,wiki.quadrantsec.com/bin/view/Main/5001126; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"[ADTRAN] UDP INTERNAL BLOCK"; content: "Access Policy"; content: "udp"; program: FIREWALL; normalize: adtran; classtype: bad-unknown; sid:5001127; reference: url,wiki.quadrantsec.com/bin/view/Main/5001127; rev:2;) rules/telnet.rules0000664000175000017500000000612412612177151013531 0ustar champchamp# Sagan telnet.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[TELNET] Connection refused by TCP Wrappers"; content: "refused connect from"; classtype: tcp-connection; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000243; sid: 5000243; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[TELNET] Remote host established a telnet connection"; content: "connection from"; classtype: not-suspicious; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000244; sid: 5000244; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[TELNET] Remote host invalid connection"; content: "ttloop"; pcre: "/peer died|read/i"; classtype: network-event; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000245; sid: 5000245; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[TELNET] Reverse lookup error"; content: "can't verify hostname"; classtype: network-event; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000246; sid: 5000246; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $TELNET_PORT (msg: "[TELNET] Attempt to login with an option"; content: "Attempt to login with an option"; classtype: exploit-attempt; program: telnetd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000392; sid: 5000392; rev:2;) rules/snort-normalize.rulebase0000664000175000017500000000440612612177151016052 0ustar champchamp# Sagan snort-normalize.rulebase # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # This file is used in conjunction with liblognorm. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* prefix= # # Jun 2 00:41:47 demo snort: [1:19559:5] INDICATOR-SCAN SSH brute force login attempt [Classification: Misc activity] [Priority: 3] {TCP} 43.255.188.148:35236 -> 10.5.1.3:22 rule=: [%generator_id:number%:%sig_id:number%:%rev:number%] %sig_name:char-to:\x5b%[Classification: %classtype:char-to:\x5d%] [Priority: %pri:number%] {%proto:char-to:\x7d%} %dst-ip:ipv4%:%dst-port:number% -> %src-ip:ipv4%:%src-port:number% rules/arp.rules0000664000175000017500000001406612612177151013024 0ustar champchamp# Sagan arp.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # "arpalert" rules - http://www.arpalert.org alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARP] arpalert - Detected new machine on the network"; content: "type=new"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000060; sid: 5000060; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected ip change"; content: "type=ip_change"; classtype: suspicious-traffic; program: arpalert; normalize: arp; reference: url,wiki.quadrantsec.com/bin/view/Main/5000061; sid: 5000061; rev: 2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - Detected new machine on the network [mac-new]"; content: "type=new_mac"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001079; sid: 5001079; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address flood"; content: "type=flood"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001080; sid: 5001080; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address blacklisted"; content: "type=black_listed"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001081; sid: 5001081; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpalert - MAC address changed"; content: "type=mac_changed"; classtype: suspicious-traffic; program: arpalert; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001082; sid: 5001082; rev:2;) # "arpwatch" rules - http://en.wikipedia.org/wiki/Arpwatch alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Detected new machine on the network"; content: "new station"; classtype: suspicious-traffic; program: arpwatch; parse_src_ip: 1; peference: url,wiki.quadrantsec.com/bin/view/Main/5000062; sid: 5000062; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - 'flip flop' message."; content: "flip flop "; classtype: suspicious-traffic; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000063; sid: 5000063; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Exiting"; content: "reaper|3a| pid"; classtype: program-error; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000064; sid: 5000064; rev:2;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Changed network interface for IP address"; content: "changed ethernet address"; classtype: suspicious-traffic; program: arpwatch; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000065; sid: 5000065; rev:4; ) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Startup/Exiting message"; pcre: "/exiting|Running as/"; classtype: not-suspicious; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000066; sid: 5000066; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Detected bad address len - ignored"; content: "sent bad addr len"; classtype: network-event; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5000067; sid: 5000067; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - New activity [new machine]"; content: "new activity"; classtype: network-event; program: arpwatch; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001061; sid: 5001061; rev:3;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Broadcast address detected"; content: "ethernet broadcast"; classtype: network-event; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5001062; sid: 5001062; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Bogus IP address detected"; content: " bogon "; classtype: network-event; program: arpwatch; reference: url,wiki.quadrantsec.com/bin/view/Main/5001063; sid: 5001063; rev:1;) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[ARP] arpwatch - Ethernet mismatch [MAC != ARP]"; content: " ethernet mismatch "; classtype: network-event; program: arpwatch; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001064; sid: 5001064; rev:2;) rules/ssh-tectia-server-geoip.rules0000664000175000017500000000435112612177151016707 0ustar champchamp# Sagan ssh-tectia-server-geoip.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # These rules are for the SSH Tectia Server for Windows systems. alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg:"[SSH-TECTIA-SERVER-GEOIP] Authentication success from outside HOME_COUNTRY"; content: "Login_success"; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001878; parse_src_ip: 1; parse_dst_ip: 2; program: SSH_Tectia_Server; country_code: track by_src, isnot $HOME_COUNTRY; sid: 5001878; rev:3;) rules/php.rules0000664000175000017500000000643012612177151013025 0ustar champchamp# Sagan php.rules # Copyright (c) 2009-2015, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[PHP] Fatal error"; content: "PHP Fatal error"; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000236; sid: 5000236; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[PHP] Warning message"; content: "PHP Warning"; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000237; sid: 5000237; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[PHP] Parse error"; content: "PHP Parse error"; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000238; sid: 5000238; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[PHP] Possible web attack"; content: "expects parameter 1 to be string, array given in"; classtype: exploit-attempt; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000240; sid: 5000240; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[PHP] Internal error [missing file]"; pcre: "/failed opening|failed to open stream/i"; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000241; sid: 5000241; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORT (msg: "[PHP] Internal error [call to undefined function]"; pcre: "/failed opening required|call to undefined function/i"; classtype: program-error; program: apache; reference: url,wiki.quadrantsec.com/bin/view/Main/5000242; sid: 5000242; rev:2;)